FDA Issues Medical Device Compliance Warning: What Steps Do You Need to Take?
Posted on 31 Oct 2019 by Charles Worrell
Medical devices that use third-party legacy software called IPnet, are at risk for remote attacks conducted by hackers. The Food and Drug Administration (FDA) issued a warning to patients, healthcare professionals, IT staff in healthcare facilities and manufacturers on October 1, informing them of the vulnerabilities.
The IPnet software is still part of several operating systems and applications for medical and industrial systems that are used today. The vulnerabilities that exist in the IPnet software have been labeled as “URGENT/11.”
Not only are the devices themselves at risk for being improperly used, but the network connections – Wi-Fi, routers and other critical infrastructure equipment – are also in danger of being compromised.
What the FDA has stressed is that patient care is on the line. “While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant,” said Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health.
Medical device manufacturers are being advised to take these immediate actions:
- Conduct a risk assessment
- Develop risk mitigation plans
- Continued monitoring and reporting of cybersecurity vulnerabilities
- Work with operating system vendors to identify available patches
As Amy Abernethy, the FDA’s principal deputy commissioner also stated: “The FDA urges manufacturers everywhere to remain vigilant about their medical products – to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them.”
Complying with FDA Requirements
The FDA has outlined “cybersecurity postmarket guidance” with recommendations for conducting risk assessments, developing risk mitigation plans and other steps to secure devices. Manufacturers that are strapped for time, in-house expertise or resources can take advantage of independent companies, such as TUV Rheinland OpenSky, to aid them in their testing and remediation efforts.
TUV Rheinland OpenSky offers a full range of services to help secure medical devices including:
- Risk Assessments — develop and update your top-down risk registers to be business oriented and in line with leading practices, including the FAIR methodology
- Threat Modeling — specialize in an advanced form of analysis that identifies attack vectors in your design
- Managed Penetration Testing — perform regularly scheduled, iterative testing to search for new vulnerabilities in devices