**** Info via Health Canada
Cybersecurity vulnerabilities associated with some medical devices with Bluetooth Low Energy chips
Health Canada is informing Canadians, healthcare professionals, and manufacturers about a series of cybersecurity vulnerabilities named “SweynTooth”. These vulnerabilities may affect devices using the Bluetooth Low Energy (BLE) protocol. Because of these vulnerabilities, some medical devices that use BLE chips could be at risk of a cyber attack. Affected medical devices may include pacemakers, blood glucose monitors, ultrasound systems and insulin pumps.
Health Canada is not aware of any reports of patient harm related to these cybersecurity vulnerabilities in Canada or in any other country. The Department considers the risk of a cyberattack to be low. The vulnerabilties create a risk to users only when an unauthorized user would specifically seek to exploit them.
The SweynTooth vulnerabilities could allow an unauthorized user to potentially:
- Crash the device. The device may stop communicating or stop working.
- Deadlock the device. The device may freeze and stop working correctly.
- Bypass security. An unauthorized user may try to access device functions normally available only to an authorized user.
Health Canada is aware of several BLE chip manufacturers that are affected by these cybersecurity vulnerabilities:
- Texas Instruments
- NXP
- Cypress
- Dialog Semiconductors
- Microchip
- STMicroelectronics
- Telink Semiconductor
Health Canada is working with manufacturers to identify affected medical devices in Canada, evaluate the risks, and to ensure that necessary action is taken. The Department will update Canadians if significant new information becomes available.
Information for patients, parents and caregivers
- If you have this type of device and it is not working properly, contact your healthcare provider or your device’s manufacturer to help you determine whether your device could be affected and if you should take action.
- Follow instructions, including software patches, from your device’s manufacturer to address the problem as they become available.
- Report any problems or adverse effects you have with your medical device to Health Canada, including those related to cybersecurity.
Information for healthcare professionals
- Work with device manufacturers to identify medical devices that could be at risk.
- Advise patients who use affected medical devices of the steps they can take to mitigate risk associated with this vulnerability.
- Remind patients who use potentially affected medical devices to seek medical help right away if they think the operation or function of their medical device has changed unexpectedly.
What to do: Monitor whether your device is working as usual. Contact your healthcare provider if you think your device is not working as expected.
