The United States Food and Drug Administration (FDA) has posted a press announcement and safety communication concerning Medical Devices with Bluetooth Low Energy (BLE).
The FDA informs manufacturers, health care providers and patients about a set of cybersecurity vulnerabilities, referred to as "SweynTooth" that if exploited, may introduce risks for certain medical devices. SweynTooth affects the wireless communication technology known as BLE. These cybersecurity vulnerabilities may allow an unauthorized user to wirelessly crash the device, stop it from working, or access device functions normally only available to the authorized user.
The FDA is not aware of any confirmed adverse events related to these vulnerabilities. However, software to exploit these vulnerabilities in certain situations is publicly available. The FDA is providing additional information regarding the source of these vulnerabilities and recommendations for reducing or avoiding risks the vulnerabilities may pose to a variety of medical devices such as pacemakers, glucose monitors, and ultrasound devices.
The FDA is currently aware of several microchip manufacturers that are affected by these vulnerabilities: Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor. Their microchips may be in a variety of medical devices, such as those that are implanted in or worn by a patient (such as pacemakers, stimulators, blood glucose monitors and insulin pumps) or larger devices that are in health care facilities (such as electrocardiograms, monitors and diagnostic devices like ultrasound devices).
Medical device manufacturers in the United States are already assessing which devices may be affected by SweynTooth and are identifying risk and remediation actions. In addition, several microchip manufacturers have already released patches.
The FDA is asking medical device manufacturers to communicate to health care providers and patients which medical devices could be affected by SweynTooth and ways to reduce associated risk. Patients should talk to the health care providers to determine if their medical devices could be affected and to seek help if they think their medical devices are not working as expected.
For details, please refer to the following links:
https://www.fda.gov/news-events/press-announcements/fda-informs-patients-providers-and-manufacturers-about-potential-cybersecurity-vulnerabilities-0
https://www.fda.gov/medical-devices/safety-communications/sweyntooth-cybersecurity-vulnerabilities-may-affect-certain-medical-devices-fda-safety-communication
If you are in possession of the affected products, please contact your supplier for necessary actions.
Posted on 4 March 2020