Bluetooth Low Energy Medical Devices Have Cybersecurity Vulnerabilities, FDA Warns

Federal health officials are warning healthcare professionals that any medical device using Bluetooth Low Energy (BLE) technology could be vulnerable to hackers, which could allow unauthorized control of devices such as pacemakers and blood glucose monitors.

The FDA issued a BLE cybersecurity warning on March 3, 2020, after determining it has potential vulnerabilities which may allow unauthorized users to intercept, alter or disable the wireless communication between medical devices.

Although no reports of any hacking events involving BLE have been reported, the FDA is warning patients could be at an increased risk of severe injury or death due in the event of unintended medical device alterations.

Bluetooth Low Energy (BLE) technology has become an increasingly popular wireless communication method to allow two devices to pair and exchange information to perform the intended functions with the benefit of preserving battery life of medical devices.

One of the most common uses are blood glucose monitors, which take glucose readings of diabetic patients and send results back to a central monitoring station. These results have a direct impact on the insulin dosage a patient receives, meaning the alteration of the results could cause either an under or overdose of insulin, which could be fatal.

Officials indicated BLE is used in a variety of medical devices including wearable devices for patients and stationary devices within healthcare facilities. Some of specific devices known to use BLE microchips include pacemakers, glucose monitors, ultrasound devices, electrocardiograms, monitors and diagnostic devices.

To date, at least 12 cybersecurity vulnerabilities, named Sweyntooth have been identified. These vulnerabilities have been broken into three categories which include crashing the device, deadlocking the device and bypassing the devices security.

The FDA has identified vulnerabilities in which an unauthorized user could crash the device, which will abruptly stop communication causing a delay in treatment or monitoring. Hackers could also deadlock the devices, which would prohibit the device from working properly for an extended period of time, also causing a potential delay in treatment or monitoring. Lastly, officials identified situations where hackers could bypass the security settings to control the devices’ functions that normally only the authorized user could control.

According to the warning, the FDA has become aware of several microchip manufacturers that are susceptible to these vulnerabilities. Those system-on-a-chip (SoC) manufacturers include Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.

The FDA noted the medical device manufacturers have begun assessing which devices are affected by SweynTooth, and are evaluating the risks, and developing remediation actions. These remediation actions will be directly communicated with healthcare providers.

Cybersecurity Concerns

Since 2014, the U.S. Department of Homeland Security (DHS) has been actively investigating at least two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment. According to DHS, if preventative actions to strengthen the medical field’s cybersecurity issues are not taken, hackers could exploit a wide variety of vulnerabilities in connected medical devices, potentially impacting the safety and effectiveness of the medical devices.

In 2019, the FDA issued a safety communication about vulnerabilities with Medtronic ICDs or cardiac resynchronization therapy defibrillators (CRT-Ds), after discovering the wireless telemetry system used to communicate and alter the implanted devices could be hacked due to a lack of security protocols.

Later the same year in November Medtronic issued a second Medtronic MiniMed insulin pump recall after the manufacturer identified someone other than the patient or healthcare provider could remotely change insulin delivery settings and alter glucose level data, potentially leading to life threatening conditions such as the development of severe hypoglycemia or high blood sugar and diabetic ketoacidosis.

Patients are being asked to talk with their healthcare providers to determine if their medical device could be affected and to seek help immediately if you believe your device is not working as expected. The FDA is encouraging healthcare professionals and patients experiencing any issues to report the problem through the MedWatch Voluntary Reporting Form.