Pacemakers, insulin pumps and other medical devices using software called IPnet contain potential flaws that make them vulnerable to cyber attacks, the Food and Drug Administration has warned.

The agency is working with medical device makers to determine which devices, whether in health-care facilities or used by patients, may have the security flaws. The FDA said it hasn’t received any reports of a device being hacked.

“It’s important for manufacturers to be aware that the nature of these vulnerabilities allows the attack to occur undetected and without user interaction,” the FDA’s Suzanne Schwartz said in a statement this week. “Because an attack may be interpreted by the device as a normal network communication, it may remain invisible to security measures.”

Concerns about the security of medical devices date to at least 2011, when a hacker at a cybersecurity conference showed how easy it was to take over an insulin pump and deliver a lethal dose. The FDA issued its first guidance on the issue in 2013. Four years later, Abbott Laboratories had a voluntary recall of 465,000 pacemakers because of security vulnerabilities.

Patients using medical devices should talk to their healthcare providers to determine what action, if any, may be needed regarding the IPnet vulnerability, the FDA advised.

  • “Medical device manufacturers should focus on building their own software technologies under FDA draft guidelines, rather than relying on third-party legacy software or off the shelf software,” Sathya Elumalai, founder and CEO of Baltimore-based healthcare technology company Aidar Health, said in an emailed statement. 
  • A security firm identified 11 vulnerabilities, named URGENT/11, the FDA said, that may reside on a variety of devices’ operating systems. The FDA expects additional medical devices will be identified.
  • In June, Medtronic Plc recalled its MiniMed 508 and MiniMed Paradigm series insulin pumps over concerns that hackers could take control of the devices. At the time of the recall, there were no reports that patients had been attacked.
  • Software issues have been the No. 1 cause for medical device recalls for 13 straight quarters through the first half of this year, Stericycle Expert Solutions said.  
  • The Advanced Medical Technology Association, based in Washington, D.C., has developed five principles to guide device makers in protecting against cyber threats.