FDA warns of cybersecurity risks in Bluetooth Low Energy-equipped medical devices

The FDA has taken steps to notify healthcare providers and manufacturers about a series of cybersecurity gaps related to Bluetooth Low Energy communication that could affect certain medical devices such as wearable glucose monitors and insulin pumps as well as pacemakers, neurostimulators and hospital ultrasound machines.

Dubbed SweynTooth, the collection of 12 publicly available exploits could be used to wirelessly crash a device and stop it from functioning or access central user features. The agency said it is not aware of any adverse events related to these vulnerabilities.

“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches,” said Suzanne Schwartz, deputy director of the FDA device center’s Office of Strategic Partnerships and Technology Innovation, in an agency statement. “These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm.”

“The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies,” Schwartz added. “An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”

RELATED: FDA, DHS link arms on medical device cybersecurity, plus new agency guidance

Microchips used in a range of medical devices could be at risk, the agency said, including those manufactured by Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.

The FDA said device manufacturers have been assessing which devices may be affected and are working on potential fixes, while microchip providers have released software updates. Technical details are available from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.