author photo
By Clare O’Gara
Thu | Oct 3, 2019 | 6:30 AM PDT

If your work involves using Internet of Medical Things devices (IoMT), you'll want to listen up.

The U.S. Food and Drug Administration (FDA) issued new warnings for patients, staff, manufacturers, and medical providers about specific cybersecurity vulnerabilities.

The FDA says these are device and software vulnerabilities which could help hackers compromise hospital networks.

The vulnerable software identified by the FDA

Eleven vulnerabilities have been identified, which the FDA is calling the "URGENT/11." And hackers have already created tools that can take advantage of them. The agency puts it like this:

"The FDA is not aware of any confirmed adverse events related to these vulnerabilities. However, software to exploit these vulnerabilities is already publicly available.

These vulnerabilities may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function."

In other words, it could be related to loss of data or perhaps even loss of life.

According to the FDA, some versions of the following systems have been affected:

  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by Green Hills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON Forum)
  • ZebOS (by IP Infusion)

What the FDA recommends for healthcare IT and security staff

If you are in IT or cybersecurity functions in the healthcare industry, what should you monitor relating to the URGENT/11 threats?

The FDA provided two specific recommendations for you:

  • Monitor your network traffic and logs for indications that an URGENT/11 exploit is taking place.
  • Use firewalls, virtual private networks (VPN), or other technologies that minimize exposure to URGENT/11 exploitation.

For additional details on URGENT/11, see the FDA release here.