Pathways’ Pick of the Week: Not your Father’s FDA Cybersecurity Alert

article image
ARTICLE SUMMARY:

In this week’s top news pick from MedTech Strategist Market Pathways: Does your device have Urgent/11? FDA issued an alert this week warning of the potential for widespread medical device vulnerabilities from a third-party software flaw.

[For a complete roundup of medtech policy happenings that should be on your radar this week and deeper analysis of the sector, check out Market Pathways.]

Cybersecurity vulnerabilities have become increasingly common as a subject line for FDA safety alerts, but a communication issued by the agency October 1 should catch the entire medtech community’s attention. Multiple FDA safety communications have spotlighted a vulnerability with a particular company’s devices, including, for instance, an alert in June about Medtronic’s insulin pumps and several addressing vulnerabilities in Abbott Laboratories’ implantable defibrillators and pacemakers. But the latest missive, coordinated by FDA with the Department of Homeland Security, is of a different type, largely because the communication mentions no specific medical devices. Instead, it focuses on software and operating systems that are used in a “wide range” of connected medical (and industrial) devices. An agency spokeswoman confirmed with Market Pathways that the October 1 alert is the first official FDA safety communication referencing a specific third-party software issue that can cause vulnerabilities across different device systems.

Specifically, the alert warns of “Urgent/11,” a vulnerability found in third-party networking software that “may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws” (although no hacking incidents or adverse events have been identified). The flaw was first spotted by cybersecurity researchers in one particular operating system (VxWorks) in July. Since then, more information has flowed in, including from hospitals, showing that the impacted software is prevalent in more systems than originally believed. It was widely licensed out more than a decade ago as a networking solution in versions that are no longer supported with software updates. BD, for instance, issued a parallel alert October 1 warning of Urgent/11-related vulnerabilities in its Alaris PC infusion pump (the firm clarifies that a hacker couldn’t interrupt an in-process infusion.) Firms including GE HealthcarePhilipsDrager, and Spacelabs Healthcare have also issued related alerts in the past weeks and months addressing imaging and patient monitoring systems.

The Urgent/11 situation brings together multiple themes that have been raised repeatedly by FDA and cybersecurity experts in recent years as public device cybersecurity concerns have grown. These include the risks of “legacy” operating systems, the importance of device companies closely cooperating with outside security researchers, and the growing emphasis on manufacturers providing detailed “cybersecurity bills of materials” (CBOM) describing each piece of software that a device is running in FDA submissions. An updated draft guidance from FDA on cybersecurity premarket submission requirements issued last October includes an expectation that companies hand over a CBOM for connected devices. The latest alert will add more pressure on companies to do so in order to help hospitals more quickly figure out if their systems contain software identified in alerts like Urgent/11. For now, FDA, device firms and security researchers are on the lookout for additional devices that will have an Urgent/11 flaw hidden within.


 Trial MyStrategist.com and unlock 7-days of exclusive subscriber-only access to the medical device industry's most trusted strategic publications: MedTech Strategist & Market Pathways. For more information on our demographics and current readership click here.

×



Articles from David Filmore: