Share

Market insight in association with

URGENT/11 vulnerabilities showcase cybersecurity risks for connected medical devices

On 1 October, the US Food and Drug Administration (FDA) released a safety communication regarding a set of 11 cybersecurity vulnerabilities, referred to as the URGENT/11, which could potentially leave large numbers of connected medical devices open to exploitation by remote attackers.


Although the FDA assured the public that there have not yet been any reported attacks, the breadth of devices put at risk by these vulnerabilities and the extreme level to which the vulnerable systems could be manipulated is staggering.


GlobalData believes that this event is a robust demonstration of the growing importance of cybersecurity solutions in the healthcare industry.


The URGENT/11 vulnerabilities were discovered by researchers from Armis, a small cybersecurity firm specialising in security for connected devices. The weak code was identified in a third-party software component called IPnet, which helps support network communications between computers.


The IPnet software is currently owned by Wind River and is used in the company’s real-time operating system (RTOS), VxWorks. RTOSs are built to process data in real-time with high reliability and accuracy — a function crucial to many devices used in the healthcare sector, such as patient monitors and infusion pumps.

According to Armis, with more than two billion devices using the software across industries, VxWorks is the most widely used RTOS. Unfortunately, the problem is not just limited to VxWorks. Before the IPnet software was acquired by Wind River in 2006, it had been sold as a third-party library and was incorporated into a variety of other RTOSs. Although the acquisition occurred 13 years ago, some RTOSs continue to use IPnet and are thus at risk of attack.


A list of RTOSs containing IPnet has been made available, but there may be others. Before 2006, the code was sold as a permanent license and was subject to very few updates after the initial sale, which can make it difficult to trace.


The URGENT/11 vulnerabilities allow attackers to remotely take over internet-connected devices, bypassing perimeter security measures such as firewalls. As such, the vulnerabilities can be used to deliver malware within networks and between different connected devices.


One example given by Armis on its company blog was the remote infiltration of a vulnerable patient monitor in a hospital via an internal connection to a similarly vulnerable cloud-connected printer. Using these weaknesses, a remote user could take control of a medical device and change its function, cause information leaks, or shut down the machine entirely. In a dramatic video on the company blog, Armis demonstrated how an attacker could hijack a patient monitor in a hospital and record patient data or even fake an emergency such as cardiac flat-line.


In another example, the company described how the vulnerability could be used to remotely shut down an infusion pump, leaving a patient without life-saving supportive care.


GlobalData forecasts that by 2021, the global cybersecurity market will be worth $143bn, up from $114bn in 2017. Events like the discovery of the URGENT/11 vulnerabilities highlight why such strong growth is expected, particularly in the healthcare sector.


With the increasing usage of big data in monitoring patient health, medical devices are steadily becoming more connected to the internet and other medical devices. Although this new level of connectivity is transforming patient care, close attention must be given to the design of these devices and the software on which they run.


As many medical devices require a longer period of development and regulatory approvals compared to consumer devices, they typically have longer life cycles once they are in use. This means that when a device manufacturer designing a new product, cybersecurity must be considered for the entire foreseeable life cycle of that product. On top of this intensive design work, the ongoing product maintenance and updates require a great deal of manpower and expertise. Additionally, organisations like hospitals can no longer allow cybersecurity to be an afterthought. To counter cybersecurity risks, hospitals may need to invest in an on-site cybersecurity team or contract out to a managed security service.


Luckily, it appears the URGENT/11 vulnerabilities were identified before any great harm could be done. The FDA’s announcement provides recommendations for device manufacturers, healthcare providers and healthcare facility staff on how to address the threats and notes that many parties have already begun to identify risks and implement remedial solutions such as software patches. However, it cannot be ignored that these large-scale software issues are occurring more and more frequently, highlighting the vital importance of cybersecurity products and services in protecting the more connected healthcare systems of the future.

For more insight and data, visit the GlobalData Report Store.

Go to article: Home | Deep Space DiagnosticsGo to article: In this issueGo to article: MPS Microsystems Company InsightGo to article: MPS MicrosystemsGo to article: Contents Go to article: BioInteractions Company Insight Go to article: BioInteractions Go to article: Critical Software Company Insight Go to article: Critical SoftwareGo to article: NewsGo to article: Sandvik Company InsightGo to article: Sandvik Go to article: Omnitron Go to article: The Medical Industry Briefing Go to article: Sab BroeckskesGo to article: Formacoat Company InsightGo to article: FormacoatGo to article: Exceeding expectations: home sperm testing in the fertility tech marketGo to article: Siemens Company Insight Go to article: Siemens Go to article: Micro Systems TechnologiesGo to article: Space simulation: how gaming tech is being used to medically train astronautsGo to article: Braxton Manufacturing Go to article: CaelesteGo to article: Duodenoscopes: a dirty problemGo to article: Nelson Labs Company InsightGo to article: Nelson Labs Go to article: Mobile mind control: material engineering meets neurobiology Go to article: Abbott & CoGo to article: IMT Company InsightGo to article: IMTGo to article: Breathe easy: improving at-home asthma managementGo to article: Erdmann Design Company Insight Go to article: Erdmann Design Go to article: Q&A: the challenge of foetal monitoring with Professor Barrie Hayes-GillGo to article: Protomatic Medical Company InsightGo to article: Protomatic MedicalGo to article: Roundtable: debating the benefits of the NHS’s newly launched AI labGo to article: Europlasma Company Insight Go to article: EuroplasmaGo to article: The long road to reliable organ printingGo to article: SartoriusGo to article: Cap BiomaterialsGo to article: URGENT/11 vulnerabilities showcase cybersecurity risks for connected medical devicesGo to article: Telemed Company InsightGo to article: TelemedGo to article: Admedus turns focus to TAVR market with next-generation tissue technologyGo to article: Turck Duotec Company Insight Go to article: Turck DuotecGo to article: 3BYGo to article: Medtronic’s extravascular ICD is pushing innovationGo to article: AtoZ-CRO Company InsightGo to article: AtoZ-CRO Go to article: Accurate Biometrics Company InsightGo to article: Accurate BiometricsGo to article: Obstacle course for sperm is helping IVF scientists find the best swimmersGo to article: MicronovaGo to article: ARPA Company InsightGo to article: ARPAGo to article: Varian enters the embolisation particles marketGo to article: Ginolis Company InsightGo to article: GinolisGo to article: Verdict Insights: The latest verdict insight from Medical Technology Go to article: TEN MedPrint Company Insight Go to article: TEN MedPrint Go to article: Future of healthcare: What will medicine look like in 2040?Go to article: GF Machining Solutions Company InsightGo to article: GF Machining Solutions Go to article: 3D printing: Bringing assistive technology to the developing worldGo to article: iTAC Software Go to article: CarmoGo to article: Stepping up anatomical 3D printingGo to article: Key Plastics Company Insight Go to article: Key PlasticsGo to article:  Coaxial Electrospinning: Revolutionising MedicineGo to article: SARA: The robot targeting European elderly careGo to article: ClippardGo to article: Bright PlasticsGo to article: Asahi InteccGo to article: Bias in the system: the leading healthcare algorithm with bias against black patientsGo to article: Mdeg Digital Go to article: Maraca InternationalGo to article: OptelGo to article: Body cameras: The benefits in mental healthcareGo to article: CleanControlling MedicalGo to article: Abatek InternationalGo to article: XavitechGo to article: Take a seat: The mental health chatbots encroaching on the therapist’s couchGo to article: mdi ConsultantsGo to article: MK FluidicsGo to article: AI for sight: The technology transforming infant eye disorder diagnosisGo to article: ProByLas Go to article: ITV Denkendorf ProduktserviceGo to article: Deals in brief powered by GlobalDataGo to article: TS Quality & EngineeringGo to article: Mi3 Medical IntelligenceGo to article: The key list powered by GlobalDataGo to article: AerogelexGo to article: EventsGo to article: PI CeramicGo to article: Next issueGo to article: Qmedics Company Insight Go to article: QmedicsGo to article: Tresky