FDA informs about potential cybersecurity vulnerabilities for connected medical devices and health c

FDA informs about potential cybersecurity vulnerabilities for connected medical devices and health c

U.S. Food and Drug Administration is informing patients, health care professionals, IT staff in health care facilities and manufacturers of a set of cybersecurity vulnerabilities, referred to as “URGENT/11,” that—if exploited by a remote attacker—may introduce risks for medical devices and hospital networks. URGENT/11 affects several operating systems that may then impact certain medical devices connected to a communications network, such as wi-fi and public or home Internet, as well as other connected equipment such as routers, connected phones and other critical infrastructure equipment. These cybersecurity vulnerabilities may allow a remote user to take control of a medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent a device from functioning properly or at all.

To date, the FDA has not received any adverse event reports associated with these vulnerabilities. The public was first informed of these vulnerabilities in a July 2019 advisory sent by the Department of Homeland Security. Today, the FDA is providing additional information regarding the source of these vulnerabilities and recommendations for reducing or avoiding risks the vulnerabilities may pose to certain medical devices.

“While advanced devices can offer safer, more convenient and timely health care delivery, a medical device connected to a communications network could have cybersecurity vulnerabilities that could be exploited resulting in patient harm,” said Amy Abernethy, M.D., Ph.D., FDA’s principal deputy commissioner. “The FDA urges manufacturers everywhere to remain vigilant about their medical products—to monitor and assess cybersecurity vulnerability risks, and to be proactive about disclosing vulnerabilities and mitigations to address them. This is a cornerstone of the FDA’s efforts to work with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to develop and implement solutions to address cybersecurity issues that affect medical devices in order to keep patients safe.”

The URGENT/11 vulnerabilities exist in a third-party software, called IPnet, that computers use to communicate with each other over a network. This software is part of several operating systems and may be incorporated into other software applications, equipment and systems. The software may be used in a wide range of medical and industrial devices. Though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support. Therefore, the software may be incorporated into a variety of medical and industrial devices that are still in use today.

Security researchers, manufacturers and the FDA are aware that the following operating systems are affected, but the vulnerability may not be included in all versions of these operating systems:

• VxWorks (by Wind River)
• Operating System Embedded (OSE) (by ENEA)
• INTEGRITY (by GreenHills)
• ThreadX (by Microsoft)
• ITRON (by TRON)
• ZebOS (by IP Infusion)

The agency is asking manufacturers to work with health care providers to determine which medical devices, either in their health care facility or used by their patients, could be affected by URGENT/11 and develop risk mitigation plans. Patients should talk to their health care providers to determine if their medical device could be affected and to seek help right away if they notice the functionality of their device has changed.

The FDA takes reports of vulnerabilities in medical devices very seriously and today’s safety communication includes recommendations to manufacturers for continued monitoring, reporting and remediation of medical device cybersecurity vulnerabilities. The FDA is recommending that manufacturers conduct a risk assessment, as described in the FDA’s cybersecurity postmarket guidance, to evaluate the impact of these vulnerabilities on medical devices they manufacture and develop risk mitigation plans. Medical device manufacturers should work with operating system vendors to identify available patches and other recommended mitigation methods, work with health care providers to determine any medical devices that could potentially be affected, and discuss ways to reduce associated risks.

Some medical device manufacturers are already actively assessing which devices may be affected by URGENT/11 and are identifying risk and remediation actions. In addition, several manufacturers have already proactively notified customers of affected products, which include medical devices such as an imaging system, an infusion pump and an anesthesia machine. The FDA expects that additional medical devices with one or more of the cybersecurity vulnerabilities will be identified.

“While we are not aware of patients who may have been harmed by this particular cybersecurity vulnerability, the risk of patient harm if such a vulnerability were left unaddressed could be significant,” said Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “The safety communication issued today contains recommendations for what actions patients, health care providers and manufacturers should take to reduce the risk this vulnerability could pose. It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction. Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.”

FDA approves second drug to prevent HIV infection

The U.S. Food and Drug Administration today approved Descovy (emtricitabine 200 mg and tenofovir alafenamide 25 mg) in at-risk adults and adolescents weighing at least 35kg for HIV-1 pre-exposure prophylaxis (PrEP) to reduce the risk of HIV-1 infection from sex, excluding those who have receptive vaginal sex. Descovy is not indicated in individuals at risk of HIV-1 infection from receptive vaginal sex because the effectiveness in this population has not been evaluated.

“PrEP drugs are highly effective when taken as indicated in the drug labeling and can prevent HIV infection,” said Jeffrey Murray, M.D., M.P.H., deputy director of the Division of Antiviral Products in the FDA’s Center for Drug Evaluation and Research. “This approval provides more prevention options for certain patients at-risk for acquiring HIV and helps further efforts by the FDA and the U.S. Department of Health and Human Services to facilitate the development of HIV treatment and prevention options to reduce new HIV infections.”

According to the Centers for Disease Control and Prevention, 38,739 people received an HIV diagnosis in the U.S. in 2017. To confront this epidemic, President Trump announced an initiative, Ending the HIV Epidemic: A Plan for America, in his State of the Union address on February 5, 2019. This opportunity to eliminate new HIV infections in our nation seeks to provide our hardest-hit communities with additional expertise, technology and resources required to address the HIV epidemic. The aim is to reduce new infections by 75% in the next five years and by 90% in the next ten years, averting more than 250,000 HIV infections in that span.

PrEP, or pre-exposure prophylaxis, is an HIV prevention method in which people who do not have HIV take medicine on a daily basis to reduce their risk of getting HIV if they are exposed to the virus. Descovy for PrEP should be used as part of a comprehensive strategy, including adherence to daily administration and safer sex practices, including condoms, to reduce the risk of sexually acquired infections.

The safety and efficacy of Descovy for PrEP were evaluated in a randomized, double-blind multinational trial in 5,387 HIV-negative men and transgender women who have sex with men and were at risk of HIV-1 infection. The trial compared once daily Descovy to Truvada (emtricitabine, tenofovir disoproxil fumarate, 200 mg/300 mg), a daily fixed dose combination of two drugs approved in 2012 to prevent the sexual acquisition of HIV; participants were followed for 48 to 96 weeks. The primary endpoint was the rate of HIV-1 infection in each group. The trial showed that Descovy was similar to Truvada in reducing the risk of acquiring HIV-1 infection. The most common adverse reaction in individuals without HIV who were taking Descovy for PrEP was diarrhea.

There is a boxed warning for individuals who take Descovy who also have hepatitis B virus (HBV) to be aware of the risk of exacerbations of HBV in those who discontinue products with emtricitabine or tenofovir disproxil fumarate, and which may occur in individuals who discontinue Descovy. Descovy for HIV-1 PrEP is contraindicated in individuals with unknown or positive HIV-1 status and should only be prescribed to individuals confirmed to be HIV-negative immediately prior to initiating and at least every three months during use.