FDA Warns Medical Device Bluetooth Security Flaw Could Disrupt Function

March 05, 2020 - A set of cybersecurity flaws found in a range of medical devices with Bluetooth Low Energy (BLE) could allow a hacker to remotely crash a device or access its data, according to a recent alert from the Food and Drug Administration.

The BLE is used to pair and exchange data between two devices to perform specific functions and preserve battery life. However, researchers discovered a flaw, dubbed SweynTooth, that could allow a hacker to remotely crash the device, stop its function, or access functions typically only available to the authorized user.

The vulnerability affects the BLE wireless communication technology found in certain products designed by several microchip manufacturers, including Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor.

The impacted microchips are installed in a number of medical devices that are either implanted or worn by a patient, such as insulin pumps and pacemakers, as well as larger devices found in healthcare facilities like ultrasound devices, patient monitors and electrocardiograms, among others. The flaw is also found in consumer wearable and IoT products.

The FDA is not currently aware of any adverse events stemming from the flaws. But there are publicly available exploits that could put these devices at risk of attack. In response, the FDA is providing insights into the flaws to help manufacturers and healthcare providers shore up these cybersecurity gaps.

“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches,” said Suzanne Schwartz, director of the FDA’s Office of Strategic partnerships and Technology Innovation.

“These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm,” she continued. “An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”

In response, the FDA is recommending medical device manufacturers keep an eye out for cybersecurity flaws, as well as protectively addressing tech issues with coordinated disclosures of vulnerabilities and providing customers with mitigation strategies.

The FDA’s medical device security efforts have proved critical for shoring up these oft vulnerable devices. Since releasing its cybersecurity guidance for medical devices in 2016, medical device manufacturers reported 400 percent more vulnerabilities per quarter, according to MedCrypt.

Currently, medical device manufacturers are analyzing what devices may be impacted by SweynTooth, as well as identifying potential risk and remediation recommendations. Some microchip manufacturers have released patches for the flaw, including Texas Instruments and Cypress, among others.

The FDA has asked medical device manufacturers to communicate the products potentially at risk of the vulnerability and possible remediation efforts. Further, vendors should conduct a risk assessment described in the FDA’s Cybersecurity Postmarket Guidance to assess the potential impact of SweynTooth on their products, while developing risk mitigation plans.

Patients are being asked to speak with their provider to determine whether their specific medical device could be impacted or if their device appears to stop working properly.

“Medical device manufacturers should work with the microchip manufacturers to identify available patches and other recommended mitigation methods, work with healthcare providers to determine any medical devices that could potentially be affected, and discuss ways to reduce associated risks,” FDA recommended.

“The FDA will continue to assess new information concerning the SweynTooth vulnerabilities and will keep the public informed if significant new information becomes available,” they added. “FDA will continue its ongoing work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to help develop and implement solutions to address cybersecurity issues throughout a device's total product lifecycle.”

Security researchers have provided several medical device resources in the past to help providers bolster their medical device secjurity postures beyond patching and traditional tools. It's also important to note that device risk extends beyond cybersecurity and could impact patient safety.

Both the Medical Imaging & Technology Alliance (MITA) and Healthcare and Public Health Sector Coordinating Council (HSCC) have recently released medical device security guidance.