The Food and Drug Administration has released additional information on certain cybersecurity vulnerabilities that threaten hospital network systems and medical devices. Cyber actors may remotely take advantage of URGENT/11 vulnerabilities to disrupt services, leak information and alter devices, FDA said Tuesday.
Department of Homeland Security originally announced these vulnerabilities in July 2019, and has since not received reports on associated cases. FDA’s new information includes input on the vulnerabilities’ sources and recommendations for risk reduction.
IPnet, a third-party communications software, contains URGENT/11 vulnerabilities. Some medical devices may still contain the IPnet due to some manufacturers that still hold license for the software. FDA is also aware of the vulnerabilities’ presence in VxWorks, Operating System Embedded, INTEGRITY, ThreadX, ITRON and ZebOS operating systems.
The agency recommends manufacturers to coordinate with medical care providers to form mitigation plans against URGENT/11 vulnerabilities.