Bluetooth Low Energy Security Breach in Medical Equipment

The FDA has issued a security alert on possible cyber security breaches in Bluetooth Low Energy communications technology, which is utilized in some medical equipment. 

According to the government, the flaw may allow unauthorized users to wreck a device wirelessly, prohibit it from operating, or get access to features restricted to its owners.

Bluetooth Low Energy (BLE)

Bluetooth Low Energy (BLE) is a wireless communication standard that enables devices to connect and exchange intelligence in order to fulfill their envisioned activities while conserving battery life.

Implanted medical devices such as insulin pumps, stimulators, pacemakers, and glucose monitors, as well as consumer wearables and Internet of Things (IoT) devices, use this technology.

We explore why some individuals are concerned about Bluetooth headphones in this post. We also look at the facts around the gadgets’ safety.

Seven Businesses Were Impacted by the SweynTooth Vulnerability

The vulnerabilities, dubbed “SweynTooth” by the scientists who discovered them, may affect linked wearable or implanted devices like glucose monitors, insulin pumps, pacemakers, and stimulators, as well as bigger healthcare devices like ultrasound machines or monitors, according to the FDA.

To the best of the company’s insights, no such incidents have yet occurred.

Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics, and Telink Semiconductor are among the seven microchip manufacturers known to be impacted, according to the regulator.

The FDA, on the other hand, stated that it is aware of update releases from “many” microchip manufacturers that solve these concerns, and also some medical-device firms that are looking into their devices for flaws.

In its statement of the vulnerabilities, the agency said, “The agency is urging medical device makers to convey to health care professionals and patients whose medical devices may be impacted by SweynTooth and methods to mitigate related risk.”

“Patients should speak with their health care professionals to discover whether their medical device is damaged, and get treatment as soon as possible if they believe their medical device is not operating as it should.”

The probable consequences of the SweynTooth flaws may be divided into three groups. These flaws can be exploited wirelessly by an unauthorized user to:

• Destroy the gadget. It’s possible that the gadget will cease communicating or functioning.
• The gadget must be deadlocked. It’s possible that the gadget will freeze and cease operating properly.
• Bypass security to gain access to devise functionalities that are typically only available to authorized users.

Vendors Known to be Impacted

• Texas Instruments
• NXP
• Cypress
• Dialog Semiconductors
• Microchip
• STMicroelectronics
• Telink Semiconductor

Numerous system-on-a-chip (SoC) vendors are now known to be impacted by these vulnerabilities, according to the FDA

Moves by the FDA

To detect, disclose, and avoid adverse occurrences related to the SweynTooth vulnerabilities, the FDA is collaborating with other government agencies, manufacturers, and cybersecurity experts.

The FDA will continue to evaluate additional knowledge about the SweynTooth vulnerabilities and will update the public if substantial new information comes to light.

What Would Be the Consequence?

Bluetooth Low Energy is a common feature in gadgets seen in hospitals and on store shelves.

With more gadgets adopting wireless connections every day, a weakness in the technology that allows complete access to medical equipment poses a serious threat to digital-health-product makers, as well as their customers.

“Medical equipment is becoming increasingly linked, and peripherals are prone to security breaches due to inherent dangers. These flaws might jeopardize the device’s safety and efficacy, and if not addressed, could result in patient damage “Dr. Suzanne Schwartz, deputy director of the FDA’s Center for Devices and Radiological Health’s Office of Strategic Partnerships and Technology Innovation, wrote in a recent statement.

“The FDA advises medical device makers to be on the lookout for cybersecurity vulnerabilities and to take proactive steps to resolve them by engaging in coordinated vulnerability disclosure and remediation methods.”

Issues with Your Device and How to Report Them

If you believe your equipment or a device your patient uses has a problem, the FDA urges you to report it using the MedWatch Voluntary Reporting Form.

Employees at healthcare institutions that are subject to the FDA’s user facility reporting requirements should adhere to the procedures set out by their employers.

Insights Into the Complexity

Researchers have urged for increased cybersecurity measures and a decentralized system to reduce the hazards presented by linked medical equipment as healthcare institutions continue to embrace wearable technology. 

These worries, on the other hand, have boosted device security startups and fueled financing rounds for firms like Medigate ($15 million in January 2019) and MedCrypt ($5.3 million in May 2019). So overall it’s well and good when such measures are taken by the Government and also the security startups.

Wrapping Up

The security alert and breaches in bluetooth low energy technology is likely to cause damage to medical devices.

However, FDA and other agencies are more concerned about these threats and planning way ahead to make inline security standards. It’s more likely that such measures will be brought sooner by FDA.

On the other hand, we have many security startups working on the same goals.