FDA Issue Warning on Cybersecurity Vulnerabilities in Medical Devices

by | Oct 3, 2019

Security expert at Armis have discovered 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, a third-party software component implemented in hospital networks and certain medical devices.

The flaws were reported to the DHS Cybersecurity and Infrastructure Security Agency (CISA) leadin to an ICS Medical Advisory and a Food and Drug Administration (FDA) Safety Communication warning patients, healthcare providers, facility staff and manufacturers about the weaknesses.

The FDA alert – labelled URGENT/11 – explains that the vulnerabilities could be remotely targeted by a threat actor allowing complete control to be taken of a vulnerable medical device. An attacker could change the functions of the device, access sensitive information, cause logical flaws or denial of service attack that could stop the device from being operational.

While there have been no reports of the flaws being successfully targeted in the wild, the FDA warns that the software required to exploit the flaws is publicly available.

Interpeak IPnet TCP/IP Stack allows network communications between computers, and while it is no longer supported by the original developer, some device producers are licensed to use the component in their software applications, systems, and equipment with no support.

The FDA warns that the vulnerable component is in use in some versions of the these operating systems:

  • VxWorks (by Wind River)
  • Operating System Embedded (OSE) (by ENEA)
  • INTEGRITY (by Green Hills)
  • ThreadX (by Microsoft)
  • ITRON (by TRON Forum)
  • ZebOS (by IP Infusion)

Specific Beckton Dickinson (BD), Drager, GE Healthcare, Philips Healthcare, and Spacelabs products are also impacted by the flaws. Each of those companies has published security advisories about the affected products.

WindRiver owns the license for IPnet and has released patches to address the flaws. If it is not possible to upgrade to the most recent version of the OSE, other mitigating controls can be implemented to lessen the chance of exploitation. WindRiver should be contacted for details of possible compensating control measures.

The flaws are listed in the ICS-CERT Medical Advisory (ICSMA-19-274-01). The FDA has published recommendations for device manufacturers, healthcare providers, healthcare facility staff, patients and caregivers, which can be seen on this link.

Healthcare suppliers have been advised to work with their device manufacturers to see which devices are vulnerable and find out about the steps that need to be taken to safeguard the devices. They have also been warned to inform patients using vulnerable devices to quickly report any suspected operational or functional changes to their medical devices.

Nine of the flaws are classified as high severity with a CVSS v3 score of between 7.0 and 10, three of which have a score of 9.8. In order of extent of severity, the CVE numbers are: CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12257, CVE-2019-12261, CVE-2019-12263, CVE-2019-12258, CVE-2019-12259, CVE-2019-12262, CVE-2019-12264, and CVE-2019-12265.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy