Medical Devices at Risk of 'Urgent/11' Vulnerability

Posted October 8, 2019


AAMI offers several resources to help both healthcare delivery organizations and medical device manufacturers develop effective cybersecurity practices and programs. They include:

For details on these and other resources, please visit the AAMI Store.

The Food and Drug Administration (FDA) is warning of 11 cybersecurity vulnerabilities that may introduce risks during the use of certain medical devices. These vulnerabilities, named “Urgent/11,” are particularly threatening because they could be used to propagate malware into and within hospital networks via their medical devices.

An FDA safety communication provides additional information about the source of the bugs and offers recommendations for patients, healthcare providers, and manufacturers to reduce or avoid risks that the vulnerabilities “may pose to certain medical devices.”

“It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures,” said Suzanne Schwartz, deputy director of the office of strategic partnerships and technology innovation in FDA’s Center for Devices and Radiological Health, in a statement.

The FDA first informed the public about Urgent/II in July, when cybersecurity researchers at Armis Security discovered network protocol bugs in a third-party IPnet software component. IPnet was created two decades ago and still supports some networked computer communications.

Devices that may be impacted by Urgent/11 are those that use real-time operating systems (RTOs) supported by IPnet’s TCP/IP stack, such as VxWorks by Wind River, Operating Systems Embedded by ENEA, Integrity by Green Hills, ThreadX by Microsoft, ITRON by TRON Forum, ZebOS by IP Infusion, and Nucleus RTOS by Mentor. Devices that use these RTOs are typically critical medical devices with long life-cycles, like infusion pumps, patient monitors, and magnetic resonance imaging machines.

The FDA encourages patients and healthcare providers to report suspected problems with medical devices through its MedWatch Voluntary Reporting Form.

Armis Security released a free, downloadable Urgent/11 detector which can identify vulnerable devices regardless of their RTO.