Pacemakers and glucose-monitoring systems are among the critical medical equipment that could be affected by new security vulnerabilities in wireless technology, the Food and Drug Administration and Department of Homeland Security warned this week.
The set of flaws in a popular wireless protocol known as Bluetooth Low Energy (BLE), which impact microchipped devices in a range of industries, could allow a hacker within radio range of a device to disrupt its communications, forcing it to restart.
There have not been any reports of malicious exploitation or patient harm related to the vulnerabilities. The FDA advised medical device manufacturers to work with health care providers, patients, and facilities to figure out which devices are affected and “to ensure that risks are reduced to acceptable levels.”
How many medical device manufacturers, which use the vulnerable microchips, are implicated remains to be seen. It is up to the manufacturers themselves to verify the extent to which they are affected.
Erika Winkels, a spokesperson for Medtronic, a Minneapolis-based medical device maker, said some of the company’s pacemakers and parts of glucose-monitoring systems are affected by the vulnerability. However, she said the impact of the vulnerability is limited to temporary disruption of communication between the medical equipment and other devices and “does not impact therapy.”
“To date, no cyberattack, data breach, or patient harm involving a Medtronic product has been observed or associated with these vulnerabilities,” Winkels said. “We monitor our products and systems to assess any impact associated with cybersecurity issues and take appropriate actions as circumstances dictate.”
The dozen BLE vulnerabilities, discovered by researchers at the Singapore University of Technology and Design, affect at least seven big microchip manufacturers, including Texas Instruments. Most of those vendors have issued fixes for the bugs. The researchers pointed to multiple proof-of concept exploits for the vulnerabilities.
The FDA is urging manufacturers to assess their equipment and report any that is vulnerable to DHS’s Cybersecurity and Infrastructure Security Agency. CISA itself is still trying to notify affected manufacturers.
Stephanie Domas, executive vice president at health care cybersecurity company MedSec, said the vulnerabilities are a reminder of how complex the ecosystem of suppliers and customers of medical devices is.
“Medical device manufacturers need quick-acting methods for intaking vulnerability information, assessing the risk, and then getting information out to healthcare delivery organizations (HDOs),” Domas told CyberScoop. Those HDOs need their own processes in place for assessing risk and taking appropriate action, she added.
“There are a lot of moving pieces, a lot of stakeholders at the table, and it requires coordination across all of them,” Domas said.
It is only the latest in a series of advisories that the FDA has put out to inform patients of the potential cybersecurity and safety risks of connected devices and encourage manufacturers to update their firmware.
“Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches,” said Suzanne Schwartz, a senior cybersecurity official at the FDA.