Some pacemakers, EKGs, diabetes devices may face newly flagged Bluetooth cyber risk
- FDA is warning that a wide range of medical devices using a wireless communication technology called Bluetooth Low Energy are vulnerable to security breaches that could result in harm to patients.
- In a safety communication Tuesday, the agency said the set of 12 vulnerabilities, called SweynTooth, could allow an unauthorized user to gain access to device functions or cause the device to crash or lock. The agency said it is unaware of any confirmed adverse events related to the issue so far.
- The Department of Homeland Security, in a separate alert, said it has asked affected vendors to confirm the vulnerabilities and identify ways to reduce risks of a cyber attack.
As medical device connectivity continues to grow, there are increasing opportunities for hackers to exploit these vulnerabilities with the potential to breach security controls and jeopardize patient safety. FDA’s latest cybersecurity warning comes just over a month after a security flaw in GE Healthcare information stations for centralized monitoring of patients prompted a safety alert from the agency and follows three other cyber warnings for devices in 2019.
The agency’s latest safety communication is notable for the broad swath of medical devices identified as potentially impacted by the group of 12 SweynTooth vulnerabilities. Bluetooth Low Energy technology allows devices to exchange information to perform functions while preserving battery life. However, according to FDA, software to exploit the SweynTooth vulnerabilities is publicly available, putting these devices at risk.
FDA said microchip manufacturers affected include Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor. Several of the chip makers have already released patches, the agency said.
Devices that may contain the microchips include implants such as pacemakers and technology worn by the patient such as blood glucose monitors and insulin pumps. In addition, larger systems such as electrocardiograms, monitors and ultrasound devices are also vulnerable.
FDA is asking manufacturers that use the Bluetooth technology to inform healthcare providers and patients as to which devices could be affected by the SweynTooth threat and how to reduce risks. Manufacturers should conduct a risk assessment, described in a post-market guidance document, to evaluate their devices and should develop risk mitigation plans, according to the agency. Device makers and chip manufacturers are advised to work together on patches and other mitigation methods.
The agency’s Patient Engagement Advisory Committee recommended development of high standards for outreach on communication of vulnerabilities to patients. FDA also published a Technology Modernization Action Plan to guide efforts for computer hardware, software, data and analytics with a special focus on cybersecurity.
Last year, FDA issued medical device safety alerts after identifying cyber threats involving a third-party software component called IPnet, certain Medtronic MiniMed insulin pumps, and Medtronic implantable cardiac devices, programmers and home monitors.