The FDA is warning of new cybersecurity vulnerabilities affecting Bluetooth Low Energy communications technology used in certain medical devices. According to the agency, the issue could allow unauthorized users to wirelessly crash a device, prevent it from working or access functions limited to its users.
The FDA says the vulnerabilities – referred to as "SweynTooth" by the researchers who identified it – could impact connected worn or implanted devices such as glucose monitors, insulin pumps, pacemakers and stimulators, as well as larger devices in healthcare facilities like ultrasound devices or monitors. To the agency's knowledge, no such cases have yet to occur.
So far, the regulator has listed seven microchip manufacturers that it knows are affected: Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.
However, the FDA said that it is already aware of patch releases from "several" microchip manufacturers that address these issues, as well as medical-device companies that are investigating their products for vulnerabilities.
"The agency is asking medical device manufacturers to communicate to health care providers and patients which medical devices could be affected by SweynTooth and ways to reduce associated risk," the agency wrote in its announcement of the vulnerabilities. "Patients should talk to their health care providers to determine if their medical device could be affected and to seek help right away if they think their medical device is not working as expected."
WHAT'S THE IMPACT
Bluetooth Low Energy is a mainstay among devices found in hospitals and on retail store shelves. With more devices embracing wireless communications each day, a flaw in the technology providing full access to medical devices is a major risk to digital-health-product manufacturers, not to mention their customers.
"Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm," Dr. Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA's Center for Devices and Radiological Health, said in a statement. "The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies."
THE LARGER TREND
As hospitals continue to embrace the internet of things, experts have advocated for greater cybersecurity efforts and a decentralized network to limit the risks posed by connected medical devices. On the flip side, these concerns have provided a boost to startups specializing in device security and fuels funding rounds for companies like Medigate ($15 million in January 2019) and MedCrypt ($5.3 million in May 2019).