Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

U.S. Warns Cybersecurity Flaws Could Impact Medical Devices

Oct. 1, 2019, 4:53 PM

U.S. government officials issued a warning about cybersecurity vulnerabilities in operating systems that power a variety of medical devices.

Computer security researchers discovered 11 vulnerabilities that could allow a hacker to take control of medical devices, the U.S. Food and Drug Administration warned Oct. 1 in an “urgent” advisory along with the Department of Homeland Security.

“These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function,” the FDA’s advisory states.

The flaw rests within software called IPNet, developed by Swedish software company Interpeak AB, which is owned by Wind River Systems Inc. The company licenses this software to real-time operating system developers, and those systems power a range of medical devices. IPNet is highly technical software that facilities that transfer of data between computers and the internet.

In a statement, Wind River said it is a “strong proponent of responsible disclosure practices” and that it was important that “the extent of industry impact is determined and disclosed as soon as possible.”

Affected vendors include Microsoft Corp., Green Hills Software Ltd., and Enea AB, according to DHS. Microsoft told federal authorities that its product, ThreadX, no longer includes the IPNet framework, but that earlier versions of the software released prior to Microsoft’s acquisition of ThreadX earlier this year may contain the affected software.

According to an April statement announcing Microsoft’s purchase of Express Logic, the original developer of ThreadX, the real-time operating system is used in 6.2 billion devices, including more than 12 million medical devices.

The FDA advisory states that some medical-device manufacturers are addressing and remediating the flaws found in IPNet software. DHS is advising customers of IPNet to contact the developer for information on how to fix the flaws.

To contact the reporter on this story:
William Turton in New York at

To contact the editors responsible for this story:
Andrew Martin at
Jillian Ward

© 2019 Bloomberg L.P. All rights reserved. Used with permission.