The US Food and Drug Administration (FDA) on Tuesday alerted health professionals and manufacturers to a family of 12 cybersecurity vulnerabilities known as “SweynTooth,” which can allow unauthorized users to potentially cause a device to stop working, stop it from working correctly and/or bypass security to access certain device functions.
Security researchers found the vulnerabilities are associated with a wireless communication technology known as Bluetooth Low Energy (BLE), which allows two devices to exchange information to perform their intended functions while preserving battery life.
FDA said it is not aware of any confirmed adverse events related to these vulnerabilities, but it is currently aware of several system-on-a-chip manufacturers that are affected by them, including Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor.
According to the Department of Homeland Security, “The affected medical devices may include pacemakers, blood glucose monitors, and others using affected BLE SDKs [software development kits].”
As far as recommendations for manufacturers, FDA says that the vulnerabilities should be evaluated, and devices should be monitored for unusual behavior. Any mitigations should include compensating controls while developing software patches, FDA added.
“In general, compensating controls and patches made to address the SweynTooth vulnerabilities are not likely to significantly affect the safety or effectiveness of the device and thus would not likely need FDA premarket review prior to implementation. If the changes to the device needed to address the vulnerabilities could significantly affect the safety or effectiveness of the device, however, premarket review is required,” FDA added.
Jodi Scott, partner in the medical device and technology regulatory practice group with the law firm Hogan Lovells, discussed FDA’s work on cybersecurity in an interview with Focus, explaining that FDA seems to be targeting its efforts on higher-risk products.
She also noted that there’s room for more international harmonization on cybersecurity and that if FDA can provide more examples, the device industry could benefit them, beyond what they do in information sharing organizations.
But, Scott added, “One of the challenges is making sure you don’t flood the field with alerts, thereby decreasing what really matters.”