A family of 12 cybersecurity bugs associated with Bluetooth Low Energy (BLE) may introduce risks for some medical devices, FDA said Tuesday in a safety notice to patients, providers, and manufacturers.
The vulnerabilities, dubbed SweynTooth, don't exist in BLE itself but in development kits that come with certain system-on-a-chip (SoC) products. FDA said it is aware of several SoC manufacturers that are affected by these vulnerabilities:
- Texas Instruments
- Dialog Semiconductors
- Telink Semiconductor
Medical device manufacturers are already assessing which devices are affected by SweynTooth, evaluating the risk, and developing remediation actions, FDA noted.
The agency issued the following recommendations for manufacturers:
- If your device or any device that communicates with your device uses BLE technology, evaluate how it is impacted by these vulnerabilities.
- Conduct a risk assessment, as described in FDA’s cybersecurity postmarket guidance, to evaluate the impact of these vulnerabilities to affected devices and develop risk mitigation plans.
- Mitigations should include compensating controls while you are developing software patches.
- Work with healthcare providers, facilities, and patients to determine which medical devices are affected and to take actions to ensure that risks are reduced to acceptable levels.
- Where possible, monitor medical devices for any signs of unusual behavior. Communicate with your customers and the user community regarding your assessment and recommendations for risk mitigation strategies and any compensating controls, so that customers can make informed decisions about device use. Share your customer communications with an Information Sharing Analysis Organization.
- Report medical devices you have identified as vulnerable to SweynTooth to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency at ICS-CERT@HQ.DHS.GOV, so that this information can be added to its evolving list of products.
FDA also said that in general, compensating controls and patches made to address the SweynTooth vulnerabilities are not likely to require premarket review prior to implementation unless the changes to the device could significantly affect the safety or effectiveness of the device. Manufacturers with questions about whether a device modification requires premarket review should send questions OPEQ_Cybersecurity@fda.hhs.gov for assistance.
The agency issued the following recommendations for healthcare providers and facility staff:
- Work with device manufacturers to determine which medical devices in your facilities or in use by your patients could be affected by these vulnerabilities and develop risk mitigation plans.
- Advise patients who use affected medical devices with steps they can take to reduce risk.
- Remind patients who use medical devices to seek medical help right away if they think operation or function of their medical device changed unexpectedly.
- Where possible, monitor medical devices for any signs of unusual behavior.
Last but not least, FDA offered the following recommendations for patients and caregivers:
- Talk to your health care provider to determine if your medical device may be affected or whether you should take any actions. Device manufacturers will be sharing more information as it becomes available.
- Seek medical help right away if you think your medical device is not working as expected.