March 03, 2020: U.S. FDA is informing patients, health care providers and manufacturers about a set of cybersecurity vulnerabilities, referred to as “SweynTooth,” that – if exploited – may introduce risks for certain medical devices. SweynTooth affects the wireless communication technology known as Bluetooth Low Energy (BLE).
BLE allows two devices to “connect” and share information in order to perform their intended functions while maintaining the battery life and can be used in medical devices as well as other devices, such as consumer wearables and apps on the Internet of Things. These cybersecurity vulnerabilities may permit an unauthorized user to wirelessly crash the device, stop it from working, or access device functions normally only available to the authorized user.
Up till now, the FDA is not aware of any confirmed adverse events related to these vulnerabilities. However, software to exploit these vulnerabilities in certain situations is publicly available. FDA is providing additional information regarding the source of these vulnerabilities and recommendations for reducing or avoiding risks the vulnerabilities may pose to a variety of medical devices, such as pacemakers, glucose monitors, and ultrasound devices.
FDA is currently aware of several microchip manufacturers that are affected by these vulnerabilities: Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor. Their microchips may be in a variety of the medical devices, such as those that are implanted in or worn by the patient (such as pacemakers, stimulators, blood glucose monitors and insulin pumps) or larger devices that are in health care facilities (such as electrocardiograms, monitors and diagnostic devices like ultrasound devices).
Medical device manufacturers are already assessing which devices may be affected by the SweynTooth and are identifying risk and remediation actions. Additionally, several microchip manufacturers have already released patches. For more information about SweynTooth cybersecurity vulnerabilities – including a list of the affected devices, see ICS-ALERT-20-063-01 SweynTooth Vulnerabilities, Department of Homeland Security Cybersecurity Infrastructure Security Advisory.
The agency is asking medical device manufacturers in order to communicate to health care providers and patients which medical devices could be affected by SweynTooth and ways to reduce the associated risk. Patients should talk to their health care providers in order to determine if their medical device could be affected and to seek help right away if they think their medical device is not working as expected.
The FDA will continue to evaluate new information about the risk of SweynTooth and will keep the public updated if important new information becomes available.
Furthermore, the FDA will continue its ongoing work with manufacturers and health care delivery organizations—as well as security researchers and other government agencies—to help develop and implement solutions to address cybersecurity issues throughout the device’s total product lifecycle.
The FDA, an agency within the U.S. Department of Health and Human Services, protects the public health by assuring the safety, efficiency, and security of human and veterinary drugs, vaccines and other biological products for human use, and medical devices. The agency also is responsible for the safety and protection of our nation’s food supply, cosmetics, dietary supplements, products that give off electronic radiation, and for regulating tobacco products.
https://fda.einnews.com/pr_news/511110111/fda-informs-patients-providers-and-manufacturers-about-potential-cybersecurity-vulnerabilities-in-certain-medical-devices-with-bluetooth-low-energy