The U.S. Food and Drug Administration (FDA) has issued an alert into the digital support services used in medical devices. These are PTC Axeda agent and Axeda Desktop Server.
The FDA alert is for medical device users and manufacturers, and it pertains to a cybersecurity vulnerability for the Axeda agent and Axeda Desktop Server. The Axeda agent and desktop server are web-based technologies that allow one or more people to securely view and operate the same remote desktop, through the Internet. All versions of Axeda agent and Axeda Desktop Server are affected.
The U.S. government’s concern is that a successful exploitation of this vulnerability could allow an unauthorized attacker to have full system access, remote code execution, read and change configuration, file system read access, log information access, and denial-of-service condition.
Medical devices are more commonly connected to the Internet and local services, such as hospital networks, and to other medical devices. The digitalisation is designed to provide features that improve health care and increase the ability of health care providers to treat patients.
However, these same features introduced to exploit the advantages of digital data capture also increase potential cybersecurity risks.
With this new case, depending on its use in the medical device, these security vulnerabilities may result in changes to the operation of the medical device and impact the availability of the remote support functionality.
This issue introduces cybersecurity concerns to the medical device world in a very real way. Prior to this there have been speculative discussions about what happens should a medical device, directly or through the technology that controls or monitors it, be hacked in terms of data theft (which is personal to the patient) or through an action being undertaken that cause patient harm.
It remains important that medical device manufacturers continued to be responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.
This includes paying attention to:
- Privileged access.
- Identification of cybersecurity vulnerabilities and incidents.
- Prevention and mitigation of cybersecurity vulnerabilities.
- Product lifecycle challenges and opportunities.
Such considerations will help to overcome the cybersecurity challenges and foster new opportunities associated with the servicing of medical devices.
