The FDA issued a statement to warn patients, healthcare providers and medical device manufacturers about potential cybersecurity vulnerabilities in Bluetooth Low Energy (BLE) technology.
BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life in all sorts of devices, including medical technology. The vulnerabilities, referred to by the FDA as “SweynTooth,” can potentially allow an unauthorized user to wirelessly crash the device, stop it from working, or access device functions normally available to only the authorized user, according to the FDA statement.
The FDA said it is unaware of any confirmed adverse events related to the SweynTooth vulnerabilities, but the software to exploit them in certain situations is known to be publicly available. Products such as pacemakers, glucose monitors and ultrasound devices were mentioned by the FDA among devices that could be impacted.
Dr. Suzanne Schwartz, the deputy director of the Office of Strategic Partnerships & Technology Innovation at the FDA’s Center for Devices & Radiological Health, said in a news release that medical devices are becoming increasingly connected and the risk accompanying that makes them vulnerable to breaches that could lead to patient harm.
“The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies,” Schwartz said. “An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”
The FDA noted that it is aware of microchip manufacturers that are affected by the vulnerabilities. Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor may have microchips in a variety of medical devices that are implanted in or worn by a patient or are present in healthcare facilities.
Several microchip manufacturers have already released patches in response to the SweynTooth vulnerabilities, as more continue to assess potentially affected devices, as well as identify risks and remediation actions.
The FDA urged medical device manufacturers to communicate with healthcare providers and patients about the potentially affected devices and the ways to reduce the risk associated with SweynTooth.