Millions of anesthesia machines and imaging systems are vulnerable to cyberattacks, the FDA warned Oct. 1 even though it has no reports of complications from attacks yet.
Security researchers found 11 vulnerabilities, which they call the URGENT/11, in IPnet, third-party software that supports network communications between computers. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency released an advisory on these vulnerabilities in July.
These flaws could allow hackers to take over the medical device or hospital network, change its function, deny services to patients, or leak information, according to the Food and Drug Administration. The affected systems run millions of devices worldwide, according to the cybersecurity agency. These systems have also been found in MRI machines and other patient monitors.
“While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant,” Suzanne Schwartz, deputy director of the FDA’s Office of Strategic Partnerships and Technology Innovation, said.
“Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures,” she added.
The FDA recommended steps device manufacturers, health-care providers, and patients and caregivers can take to report potential vulnerabilities.
Health-care facilities are advised to use firewalls, virtual private networks, or other technologies to reduce the risk of exposure to URGENT/11. Manufacturers are also directed to report any medical devices identified as vulnerable to URGENT/11 to the Cybersecurity and Infrastructure Security Agency so they can be added to its growing list of products.
In May 2017, the Wannacry ransomware attack hit 16 British hospitals and caused more than 19,000 canceled doctor’s appointments when hackers encrypted hospital data through out-of-date software and then demanded money to unlock it.
The following month, a strike on N.J.-based pharmaceutical manufacturer Merck invaded the company’s expired Microsoft program and locked up data.