US FDA recommendations to mitigate URGENT/11 medical device cybersecurity vulnerabilities

Following recent identification of cyber vulnerabilities in third-party software utilized by some medical devices for network communications, the US Food and Drug Administration has issued several recommendations to manufacturers, healthcare providers and patients to manage and mitigate risks stemming from these vulnerabilities.

The “URGENT/11” set of 11 vulnerabilities pertain to IPnet, a third-party communications software component found in a variety of medical device types, and could enable outside parties to commandeer devices and alter their functions or disable them, according to a safety communication from FDA.

Operating systems potentially impacted by URGENT/11

FDA lists several operating systems incorporating IPnet software in at least some versions, including Wind River’s VxWorks, ENEA’s Operating System Embedded (OSE), ThreadX by Microsoft and INTEGRITY by Green Hills.

FDA notes that some device manufacturers have already identified products affected by these vulnerabilities, and that devices impacted so far include an infusion pump, an imaging system and an anesthesia device; the agency anticipates more devices to be affected by URGENT/11 vulnerabilities.

FDA cybersecurity risk mitigation recommendations

For manufacturers whose devices have or may have been affected, FDA recommends risk mitigation steps such as:

• Running a risk assessment based on FDA cybersecurity post-market guidance;
• Coordinating with operating system vendors to determine whether patches are available and adequate to mitigate URGENT/11 cyber risks;
• Prepare updates to devices that will incorporate operating systems unaffected by URGENT/11 vulnerabilities;
• Coordinate efforts with healthcare facilities to identify any affected devices or systems in use and implement appropriate risk mitigation measures.

Any devices identified as vulnerable to URGENT/11-related threats should be reported to the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Emergo by UL will provide further reporting on Urgent/11 and related connected medical device cybersecurity issues as more information becomes available.

Additional US FDA medical device cybersecurity resources:

• Cyber regulatory support for medical device companies
• Secure medical device lifecycle management support
• Organizational procedures consulting for medical device cybersecurity