Low Energy-Equipped Bluetooth Medical Devices May Pose Increased Cybersecurity Threat
- SweynTooth – an exploit that can cause device crashes and failures
- Connection, connection, connection – medical devices are becoming increasingly connected to one another, increasing the risk for cyber breaches.
- Obsolete Systems – regular software updates for medical devices are necessary to limit their susceptibility to cybersecurity threats.
- Education – Healthcare professionals and patients need to be aware of the potential risks and points of cybersecurity vulnerability.
- Cybersecurity Assessments- InterMed has a team of professionals dedicated to assessing your medical device cybersecurity risk
The healthcare industry is at risk of cybersecurity threats due to its use of low energy-equipped Bluetooth medical devices. Basically, Bluetooth Low Energy (BLE) technology allows devices to connect and exchange information and perform intended functions while conserving battery life. These energy-efficient technologies can be found in a number of medical devices as well as consumer wearables. According to the FDA, this technology may have increased cybersecurity risk through an exploit known as “SweynTooth,” which has the potential to wirelessly crash a device, stop it from functioning, or access commands and information regularly only available to authorized users.
“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches,” Suzanne Schwartz, MD, MBA, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA’s Center for Devices and Radiological Health said. “These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm.”
While there are currently no confirmed compromises or adverse events related to these vulnerabilities, the software necessary for these breaches are publicly available. It is important to know if your facility uses these devices and if so how best to keep them from becoming compromised.
“The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies,” Schwartz adds. “An essential part of the FDA’s strategy is working with manufacturers, health care delivery organizations, security researchers, other government agencies and patients to address cybersecurity concerns that affect medical devices in order to keep patients safe.”
The FDA has released a list of microchip manufacturers that they are aware to be affected by these vulnerabilities: Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor. According to 24×7 Magazine, many medical device manufacturers are assessing which devices are at risk for these vulnerabilities and are developing remediation actions. Also, several microchip manufacturers have already released patches to vulnerable devices.
If you have devices with BLE technology that are not working properly, contact the device manufacturer to help determine whether your device could be affected and whether or not you should take action.
Be sure to update your device as often as patches are released since outdated device software is often more susceptible to cybersecurity vulnerabilities. As a healthcare professional, it is also important to advise patients who use affected medical devices of the appropriate steps to mitigate risk and remind them to seek medical help right away if they believe the operation or function of their device has changed unexpectedly.
If you believe your facility’s devices utilize BLE technology or may be at risk for cybersecurity breaches, contact Intermed today to set up a Jump Team diagnostic to assess medical device risk. InterMed’s Medical Device Profile (MDP) services for Cyber Security is a boots-on-the-ground Jump Team™ Program utilized to capture the critical data needed to perform the initial device profiling of all the healthcare entity’s equipment. MDP is the critical first step in developing all variations of data defense strategies by identifying the risk points and vulnerabilities of the device’s housing electronic Patient Health Information (PHI).