URGENT/11: Medical Products Are Vulnerable to Cybersecurity Threats
Healthcare organizations, IT professionals, device manufacturers and patients are being warned of cybersecurity vulnerabilities. The U.S. Food and Drug Administration issued a safety communication alert on October 1 explaining the serious safety and security risks due to URGENT/11 and a third-party software system called IPnet.
“Security researchers, manufacturers and the FDA are aware that the following operating systems are affected, but the vulnerability may not be included in all versions of these operating systems,” said FDA officials in a released statement which included a warning involving six different operating systems.
- VxWorks (by Wind River)
- Operating System Embedded (OSE) (by ENEA)
- INTEGRITY (by GreenHills)
- ThreadX (by Microsoft)
- ITRON (by TRON)
- ZebOS (by IP Infusion)
“These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all,” said FDA officials.Five Ways Providers Can Protect Patient Care Technology and Medical Devices
Providers must have cybersecurity systems and response plans in place, including access to electronic medical records required by HIPAA and an incident program to prepare for these disastrous events. Because of the potential vulnerabilities to medical devices, routers, and technology that could cause injuries to patients caused by misfunctioning life-critical operations, systems can also minimize exposure to exploitation by:
- Monitoring network traffic.
- Having firewalls in place.
- Investing in virtual private networks and have staffing in place to run mitigation and patches.
- Contacting medical device manufacturers to determine which devices may be in use in their facilities – or by their patients.
- Informing patients with medical devices of their risk, and remind them to seek help right away if the functionality of their device has changed unexpectedly.
If medical devices are connected to a communications network, such as wi-fi and the Internet, as well as other connected equipment such as routers, phones and other critical infrastructure equipment may also be attacked.Previous devices and systems at risk have included:
- drug infusion pumps
- heart rate monitors
- hearing aids
- implantable cardiac defibrillators (ICD)
- MRI systems
- hospital networks
In 2017, Abbot recalled 465,000 pacemakers after learning that they could be hacked and modified to offset cardiac rhythms. In addition, cybersecurity leader McAfee has reported that ransomware attacks have doubled in 2019, heavily impacting medical providers, including Wood Ranch Medical in California. The health system is permanently closing following a ransomware attack.
Report Threats That Contribute to Medical Provider Negligence
Attacks limit the ability to treat and protect patients and gravely impacts their care and safety. Our attorneys are committed to helping those innocently injured due to medical or provider negligence and work to secure the best possible result for you and your loved ones. Please, contact us for a free consultation by calling 312-332-2872 or completing our online case evaluation request form.
Also read: Heart Doctor Burnout Can Lead To Mistakes