The Food and Drug Administration (FDA) notified patients, healthcare professionals, and other stakeholders, warning them of a set of 11 vulnerabilities that could put medical devices and hospital networks at risk. The set of vulnerabilities was dubbed “URGENT/11,” and was discovered in a decade-old third-party software component called IPnet.
URGENT/11 is comprised of six critical flaws that allow Remote Code Execution (RCE) and five that are classified as denial of service (DoS) and logical flaws. Denial of service attacks and logical flaws could impede the devices from functioning, while RCEs could allow a remote hacker to take control of vulnerable medical devices.
This is possible because IPnet supports network communications between computers. Although its original vendor no longer supports IPnet, some manufacturers still hold a license that allows them to incorporate the software component to their devices without support. Thus, the software has found its way to equipment, devices, and other software applications used in various medical devices. Most significantly, IPnet has been used in real-time operating systems (RTOSs) that are used in the healthcare industry, typically to improve the performance and accuracy of medical devices as it allows it to respond to events in real-time.
This isn’t the first advisory issued regarding URGENT/11. The Department of Homeland Security (DHS) also issued a statement regarding the set of vulnerabilities in July, which mostly covered the vulnerabilities as discovered in VxWorks. The FDA issued a more detailed update after Armis researchers discovered that the same set of vulnerabilities affected more operating systems.
Affected operating systems are listed below. However, the FDA notes that not all versions of these systems contain IPnet and the set of vulnerabilities:
INTEGRITY (by GreenHills)
ITRON (by TRON)
Operating System Embedded (OSE) (by ENEA)
ThreadX (by Microsoft)
VxWorks (by Wind River)
ZebOS (by IP Infusion)
Other IoT-related issues in the healthcare industry
The FDA has yet to receive any reports of URGENT/11 being used in an attack or causing actual adverse effects. However, the FDA urges manufacturers and other affected stakeholders to take precautions against the said vulnerabilities. Warning even patients who use medical devices themselves to be wary of sudden changes in their devices, and report them immediately.
Cybersecurity risks have dire implications on the healthcare industry. Unfortunately, the industry faces these risks as the cost of implementing emerging technologies to improve their processes and treatments. Several reports have already disclosed vulnerabilities in critical devices like insulin pumps, which could allow a hacker to change a nearby pumps’ setting by sending out radio frequency (RF) signals, while a discovered vulnerability in certain anesthesia machines could allow a remote hacker to modify equipment parameters (i.e. change the composition of aspirated gases) and place patients at risk. Risks can also come from unexpected places, like medical images that can be used to spread malicious code and pagers that could leak sensitive information.
Trend Micro conducted a research in 2018 to uncover such risks in connected hospitals. Aside from exposed devices and systems, the research also delved into risks stemming from the supply chain. Supply chain-related risks is a significant consideration in modern medical institutions as connected hospitals are more dependent on cloud-based systems, third-party service providers, and vendors. As this case demonstrates, a vulnerability or weakness in a third-party component could cause security issues down the line.
The responsibility of creating secure medical devices fall heavily on manufacturers, who are encouraged to work closely with organizations like the FDA and DHS to make quality and standardized products. The US National Institute of Standards and Technology (NIST) also emphasizes the importance of supply chain risk management (SCRM) especially in securing critical infrastructures like healthcare.
Aside from manufacturers, other stakeholders — distributors, healthcare facilities, and users — are also urged to secure their respective medical devices and systems. Healthcare facilities should ensure that their third-party providers and vendors share the same high security standards as they do. While users or patients need to be responsible for their respective devices, and be wary of signs of compromise.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).