"While advanced devices can offer safer, more convenient and timely health care delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm," said Dr. Amy Abernethy, the FDA's principal deputy commissioner.
"The FDA urges manufacturers everywhere to remain vigilant about their medical products to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them," Abernethy said in an agency news release.
This warning concerns several operating systems that could affect medical devices connected to a network like Wi-Fi and public or home internet, and equipment such as routers, phones and other communications gear, the agency said.
It's possible that an attacker could exploit these vulnerabilities and take control of a medical device, change its function, cause denial of service, or cause information leaks. Logical flaws can also be introduced that could cause the device not to work properly or at all.
So far, the FDA hasn't received any report of a device being hacked.
"While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant," said Dr. Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA's Center for Devices and Radiological Health.
"The safety communication issued today contains recommendations for what actions patients, health care providers and manufacturers should take to reduce the risk this vulnerability could pose," Schwartz said in the release. "It's important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction."
These vulnerabilities are in software called IPnet that computers use to talk to each other over networks.
Systems that include IPnet are:
- VxWorks (by Wind River)
- Operating System Embedded (OSE) (by ENEA)
- INTEGRITY (by Green Hills)
- ThreadX (by Microsoft)
- ITRON (by TRON)
- ZebOS (by IP Infusion).
The FDA urges patients to talk to their doctors to see if their device could be affected and to get help right away if they notice that the functioning of their device has changed.
The agency is also working with manufacturers to identify products that could be vulnerable and come up with plans to thwart any potential breaches.