FDA warns of cybersecurity risks in Bluetooth Low Energy-equipped medical devices

illustration of closed padlock on digital background representing cybersecurity
Dubbed SweynTooth, the collection of 12 publicly available exploits could be used to wirelessly crash a medical device and stop it from functioning. (ranjith ravindran/Shutterstock)

The FDA has taken steps to notify healthcare providers and manufacturers about a series of cybersecurity gaps related to Bluetooth Low Energy communication that could affect certain medical devices such as wearable glucose monitors and insulin pumps as well as pacemakers, neurostimulators and hospital ultrasound machines.

Dubbed SweynTooth, the collection of 12 publicly available exploits could be used to wirelessly crash a device and stop it from functioning or access central user features. The agency said it is not aware of any adverse events related to these vulnerabilities.

“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches,” said Suzanne Schwartz, deputy director of the FDA device center’s Office of Strategic Partnerships and Technology Innovation, in an agency statement. “These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm.”

Virtual Roundtable

ASCO Explained: Expert predictions and takeaways from the world's biggest cancer meeting

Join FiercePharma for our ASCO pre- and post-show webinar series. We'll bring together a panel of experts to preview what to watch for at ASCO. Cancer experts will highlight closely watched data sets to be unveiled at the virtual meeting--and discuss how they could change prescribing patterns. Following the meeting, we’ll do a post-show wrap up to break down the biggest data that came out over the weekend, as well as the implications they could have for prescribers, patients and drugmakers.

“The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies,” Schwartz added. “An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”

RELATED: FDA, DHS link arms on medical device cybersecurity, plus new agency guidance

Microchips used in a range of medical devices could be at risk, the agency said, including those manufactured by Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.

The FDA said device manufacturers have been assessing which devices may be affected and are working on potential fixes, while microchip providers have released software updates. Technical details are available from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Suggested Articles

The FDA named more than two dozen coronavirus antibody tests that should be taken off the market weeks after the agency clamped down on tests.

Inovio CEO J. Joseph Kim is undeterred by short sellers and other detractors who doubt his company can shuttle a COVID-19 DNA vaccine to market.

The machine-learning programs scroll through data to detect hard-to-spot patterns. Yet few have been tested against standard procedures.