

WASHINGTON (dpa-AFX) - The U.S. Food and Drug Administration on Tuesday issued a warning letter that connected medical devices and health care networks with a third-party software, called Ipnet, could be targeted by hackers.



The Department of Homeland Security in July 2019 had informed the public of these potential cybersecurity vulnerabilities. Now, FDA is providing additional information about the source of these vulnerabilities and recommendations to reduce or avoid risks.



The FDA has not received any adverse event reports associated with cybersecurity issues.



Cybersecurity vulnerabilities are referred to as 'URGENT/11,' which means if exploited by a remote attacker, medical devices and hospital networks could be at risk.



The URGENT/11 vulnerabilities exist in a third-party software, called IPnet, which is used by computers to communicate with each other over a network. The software is part of several operating systems, and may be used in a wide range of medical and industrial devices.



These operating systems may then impact certain medical devices connected to a communications network. They include wi-fi and public or home Internet; other connected equipment such as routers, connected phones; and other critical infrastructure equipment.



Using these, a remote user could take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws. This may prevent a device from functioning properly or at all.



According to the FDA, the affected operating systems include ThreadX by Microsoft, VxWorks by Wind River, Operating System Embedded by ENEA, INTEGRITY by GreenHills, ITRON by TRON and ZebOS by IP Infusion. However, all versions of these operating systems may not be vulnerable.



The agency urged the manufacturers to work with health care providers to find out which medical devices in their health care facility or used by their patients could be affected by URGENT/11. It also asked to develop risk mitigation plans.



