The product development lifecycle for wireless medical devices is extremely complex.
With the growing cybersecurity threat landscape increasing, the complexity of product development for wireless devices has intensified as medical device cybersecurity becomes are greater concern.
You must now always consider cybersecurity when you first architect and design the device.
You must also consider it when you develop the device, including configuring the hardware, writing the firmware and software and performing carefully documented verification and validation work to ensure safety and efficacy for patients and medical professionals.
In addition, you must consider cybersecurity when you specify the manufacturing and testing processes to ensure that cybersecurity threats do not burrow into your device on the factory floor.
Although cybersecurity is becoming increasingly important, medical device cybersecurity is hardly a new topic.
However, despite the numerous advances in combined hardware and software solutions for certain aspects of cybersecurity, the problem is far from solved.
Medical device companies that incorporate the Bluetooth Low Energy (BLE) protocol into their devices must consider a whole new family of cybersecurity vulnerabilities.
Many people are aware that the Bluetooth wireless communications protocol was named after the Danish king, Harald “Bluetooth” Gormsson.
In the late tenth century, King Harald was deposed by his son, Sweyn Forkbeard and it is in Sweyn’s memory that a new category of cybersecurity vulnerabilities within certain versions of Bluetooth, known collectively as SweynTooth, is named.
The SweynTooth vulnerabilities were uncovered by researchers from Singapore University of Technology and Design (SUTD) who were partially funded by Keysight and the SUTD team disclosed them in an article provocatively titled, Unleashing Mayhem over Bluetooth Low Energy.
According to the researchers, the SweynTooth vulnerabilities affect numerous categories of internet of things (IoT) devices.
This is not surprising, as many device manufacturers do not develop their own communications chipsets and firmware, but instead rely on a small number of module vendors.
In addition to affecting medical devices, SweynTooth affects devices used in logistics, consumer electronics, smart home, wearables and other IoT application areas.
“The current practice is to leave the implementation tests to the Bluetooth certification process,” the SUTD team wrote. “This is with the mindset that once the design is sound, hardly anything can break in the implementation of the Bluetooth stack. Our findings expose some fundamental attack vectors against certified and recertified BLE Stacks which are supposed to be ‘safe’ against such flaws.”
In addition to publishing the paper, the SUTD team reported the exposures to the Common Vulnerabilities and Exposures (CVE) database.
The report from SUTD listed several vendors producing components and devices that contained the vulnerabilities, including many well-known companies.
These companies, of course, took swift action to assess the extent of the vulnerabilities in their products and to address them appropriately.
However, many products containing the vulnerabilities had already been shipped to customers and many of those customers are either unknown or untraceable.
Therefore, many devices with SweynTooth vulnerabilities remain in use.
Furthermore, subsequent research by the SUTD has discovered another set of vulnerabilities collectively known as Braktooth.
The Braktooth vulnerabilities are estimated to affect more than one billion devices that have already been shipped to end customers.
The SUTD article was clear about the risk to patients, saying:
“The most critical devices that could be severely impacted by SweynTooth are the medical products.”
Furthermore, the report listed examples of life sustaining medical devices that had identified SweynTooth vulnerabilities.
Given the substantial risk to patients, the US Food and Drug Administration (FDA) issued the following statement in March of 2020:
The potential impacts of the SweynTooth vulnerabilities fall into three categories.
An unauthorized user can wirelessly exploit these vulnerabilities to:
Furthermore, the FDA recommended several specific actions for medical device manufacturers.
These are summarized below and manufacturers are encouraged to review the FDA’s guidance.
Medical device manufacturers should evaluate the impact of SweynTooth on their devices, conduct a post market risk assessment and develop risk mitigation plans, including compensating controls when developing software patches.
They should also work with health care providers, facilities and patients to identify affected devices, mitigate risks and make informed decisions.
Of course, they should also share customer communications with an Information Sharing Analysis Organization and report vulnerable devices to Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) so that this information can be added to its product list.
The same FDA link also includes specific recommendations for health care providers, facility staff, caregivers and patients.
All persons concerned are encouraged to consult the official guidance at the link shown above.
Healthcare providers and facility staff should work with device manufacturers to determine which medical devices used in their facilities or by their patients could be affected and develop risk mitigation plans.
They should also monitor devices for unusual behavior and advise patients on how to reduce risk, including seeking immediate medical help if their devices’ behavior changes unexpectedly.
Patients should talk to their health care provider above their devices and how to proceed with affected devices, including seeking immediate medical help if a device is not working as expected.
Cybersecurity is a critically necessary aspect of the medical device product development cycle.
SweynTooth is just one example of the kinds of vulnerabilities that can potentially disrupt countless lives and BLE is not the only wireless protocol that is subject to cybersecurity vulnerabilities.
To reduce risk and ensure efficacy, medical device manufacturers should make cybersecurity part of their risk register and quality management system (QMS) and ensure that they integrate continuous security validation into their software development pipelines.
They should also use penetration testing tools, such as protocol fuzzing and subscribe to a cybersecurity intelligence service to monitor and keep up to date with the latest attack methodologies.
Failure to properly address cybersecurity risk in a connected medical device could lead to government regulators pulling your authority to ship devices or even the potential for life-or-death consequences for patients.
Brad Jolly is a Senior Applications Engineer at Keysight Technologies, and received his BS in Mathematics from the University of Michigan.
He has been with Keysight Technologies (previously Hewlett-Packard and Agilent Technologies) for more than 25 years, including roles in software R&D, UI design, learning products, application engineering, product support, training, product marketing and product management.