The Federal Institute for Drugs and Medical Devices (BfArM), a special medical device regulating agency in Germany, issued warning on vulnerabilities detected in one of the most widely used operating systems for medical devices.

Medical Device Cybersecurity Issue

According to the information provided by the regulating authority, critical vulnerabilities have been discovered in Windows operating system (OS) that many medical devices, such as MRI, use. These vulnerabilities make it possible to pass all security measures and intervene in the operation of medical devices, including the risk of gaining access to protected networks using malware. Most of the devices exposed to the risk are intended for professional use and utilized by healthcare institutions in a way that is important to the health of patients. 

Large medical device manufacturers have already warned their customers on the risk related to these vulnerabilities and provided a list of particular medical devices exposed to such risk. Some of them also announced plans on issuing a special patch or pending software update that would reduce or eliminate the threat, while some of them also notice that it could take time to develop and supply the amendments necessary to deal with the issue. It is important to mention that all devices using this type of software are subject to FDA approval, so medical device manufacturers would have to update their registration certificates to reflect changes made to the software according to the applicable requirements. 

At the same time, specialists representing the company that discovered vulnerabilities state that it would be necessary to develop an entirely new operating system for these types of medical devices that would have a higher level of protection and also would comply with the requirements set forth by the FDA.


Operating Systems Used in Medical Devices

There are a few types of operating systems used in medical devices, including the following:

  • General Purpose Operating Systems (GPOS) – quite a rare type used only in a few specific devices. It is enough to download a new version to update the operating system of this type.
  • Real Time Operating Systems (RTOS) – the most common type of operating systems with a basic level of malware protection. It is important to mention that the updating process for these types of devices is a bit complicated due to the construction – the operating system itself is stored on a built-in memory element that has to be physically replaced.

The operating system in which vulnerabilities had been found is one of the RTOS ones, so the updating process would take a relatively long time and require additional expenses related to the replacement of memory elements inside all devices. 


About BfArM

BfArM is a federal level authority and a part of German Federal Ministry of Health regulating all issues related to licensing, safety requirements applicable for medical devices, risk evaluation and general medical device supervision. 

RegDesk platform provides all parties involved with the reliable and detailed information on medical device regulations and rules including marketing authorization, licensing, importation and other aspects related to medical device circulation.