FDA Warns Consumers About Medical Devices That are Vulnerable to Hacking

• Security researchers have detected 11 vulnerabilities in medical devices that could allow attackers to remotely take control of them and change their functionality causing a denial of service.
• Medical devices that use third-party and outdated software called IPnet are vulnerable.

What’s the matter?

The Food and Drug Administration (FDA) has issued a warning to consumers about critical cybersecurity flaws in some medical devices that could allow hackers to take complete control of them.

What devices are vulnerable?

Security researchers have detected 11 vulnerabilities in medical devices that could allow attackers to remotely take control of them and change their functionality causing a denial of service.

Medical devices that use third-party and outdated software called IPnet are vulnerable. However, how many devices such as insulin pumps or pacemakers are vulnerable to hacking remains unknown.

“Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into a variety of medical and industrial devices that are still in use today,” the FDA said.

What actions are being taken?

• The FDA has requested the medical device manufacturers to evaluate the impact of cybersecurity flaws and to report their findings to the agency.
• The agency is working with security experts and stakeholders to understand the impact of security risks and identify medical devices that contain one or more of the vulnerabilities.
• The agency has also advised the health-care providers to notify patients who use medical devices that may be affected.

“However, due to the complexities in how the code from the IPnet third-party software component was incorporated into various medical devices and the availability of the exact operating system versions impacted, it will be difficult to develop a comprehensive list of affected devices,” Alison Hunt, FDA spokeswoman said in a statement.