The U.S. Food and Drug Administration (FDA) issued a formal warning on Tuesday on vulnerabilities detected in decades-old software used in many of today's medical devices and hospital networks.
The warning claims that 11 vulnerabilities exist in IPnet, a third-party software component that supports network communications across computers. If these vulnerabilities are exploited, hackers are allowed to remotely control medical devices, change its functions, obstruct services, and trigger information leaks that could cause the devices to stop working.
The creators of the original IPnet software, Interpeak, no longer support the software. However, there are manufacturers out there with a license without support, meaning it could be incorporated into other applications, equipment, and systems still being used in today's medical devices.
The vulnerabilities discovered in the IPnet stack were originally found by IoT Security firm Armis back in July 2019, collectively known as URGENT/11. Consequently, over 30 vendors have issued security advisories about the vulnerabilities.
Upon discovery, many thought the vulnerabilities only affected some versions of the operating system Wind River VxWorks, but the real impact is much greater because the IPnet software was licensed and used on multiple operating systems.
The FDA warns that some versions of operating systems Integrity by Green Hills, ThreatX by Microsoft, Operating System Embedded by ENEA, ITRON by TRON Forum, and ZebOS by IP Infusion may contain the vulnerable software component.
So far, an imaging system, an infusion pump, and an anesthesia machine have been found with the impacted vulnerabilities, but the FDA warns that it expects additional medical devices to be identified that contain one or more of the vulnerabilities.
All of IPnet's vulnerabilities have been identified as Zero-Day, meaning they've existed since the software's creation.
This news comes on the heels of the new 45-page document Principles and Practices for Medical Device Cybersecurity, released this week by the International Medical Device Regulators Forum (IMDRF). The guidance was developed by the FDA and Health Canada and says about third-party components, "These components can create a risk of their own, which is managed by the manufacturer through risk management, quality management, and design choice. Manufacturers should manage the cybersecurity implications of the components—software and hardware—that are part of their devices." The report added, "post-market issues with a third-party component may also affect the security of the medical device, and manufacturers need to manage this risk. Users expect the manufacturer to understand how a security vulnerability in an underlying component such as an operating system or processor affects the medical device. Regulators will require it."
Health data and medical records belonging to millions of Americans were also recently found available online and unprotected from abuse by anyone with basic computer skills. This discovery came from Greenbone Networks, a German security provider that identified security issues across 52 different countries. NNT is the sole North American reseller of Greenbone, to learn more, visit our website.