The U.S. Food and Drug Administration (FDA) issued a press release on March 3, 2020, to inform patients, health care providers and manufacturers about a newly discovered cybersecurity vulnerability. A vulnerability set referred to as “SweynTooth” affects wireless communication technology known as Bluetooth Low Energy (BLE). BLE allows two devices to “pair” and exchange information to perform their intended functions while preserving battery life and can be found in medical devices, as well as other devices, such as consumer wearables and Internet of Things (IoT) devices. Microchips using BLE may be in a variety of medical devices, such as those that are implanted in or worn by a patient (such as pacemakers, stimulators, blood glucose monitors and insulin pumps), or larger devices that are in health care facilities (such as electrocardiograms, monitors and diagnostic devices like ultrasound devices). The SweynTooth vulnerabilities may allow an unauthorized user to wirelessly crash a device, stop it from working, or access device functions normally only available to the authorized user.
The FDA said it is not aware of any confirmed events related to SweynTooth, but noted that software to exploit the vulnerabilities is publicly available. Medical device manufacturers are currently assessing potential affected devices and are identifying risk and remediation actions.
In addition, several microchip manufacturers have already released patches. For more information about SweynTooth cybersecurity vulnerabilities – including a list of affected devices, see this ICS Alert from the Cybersecurity Infrastructure Security Agency.
The FDA has asked manufacturers to communicate to health care providers and patients which medical devices are affected by SweynTooth and offer ways to reduce the risk. Patients should talk to their health care providers to determine if their device is affected.
“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm,” said Suzanne Schwartz, M.D., MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health. “The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies. An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”
Companies making and selling any sort of connected devices, particularly medical device companies, need to be vigilant in addressing the security issues inherent in their products. If you are an executive or general counsel and have questions about what you need to do to address potential cybersecurity issues, please contact us.