The Food and Drug Administration issued a warning to consumers Tuesday about potentially serious cybersecurity flaws in some medical devices that could allow hackers to take control of them remotely.
Medical devices that use third-party, decades-old software called IPnet are at risk, the FDA said. The regulator said it’s not sure how many or even which specific devices, such as insulin pumps or pacemakers, are vulnerable to getting hacked.
Researchers have identified 11 vulnerabilities that may allow “anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function.”
The FDA said it is working with “various stakeholders and subject matter experts to obtain a better understanding” of the security risk and identify medical devices that contain one or more of the vulnerabilities.
“However, due to the complexities in how the code from the IPnet third party software component was incorporated into various medical devices and the availability of the exact operating system versions impacted, it will be difficult to develop a comprehensive list of affected devices,” FDA spokeswoman Alison Hunt said in a statement.
The FDA has been ramping up efforts to monitor the cybersecurity of medical devices in recent years.
In June, medical device maker Medtronic recalled some models of insulin pumps that were open to hacks amid concerns from the FDA. At the time, there were no confirmed reports of cyberattacks on the pumps.
The FDA said Tuesday it is not aware of any confirmed adverse events related to the IPnet-related vulnerabilities.
The agency recommends that health-care providers advise patients who use medical devices that may be affected.
Device manufacturers have been asked by the FDA to evaluate the impact of cybersecurity flaws and to communicate their findings to the agency.