Mar 11, 2020   SOURCE: PR NewsWire

Information Update - Cybersecurity vulnerabilities associated with some medical devices with Bluetooth Low Energy chips

Summary

Product: Some medical devices that use Bluetooth Low Energy (BLE) chips
Issue: Cybersecurity vulnerabilities
What to do: Monitor whether your device is working as usual. Contact your healthcare provider if you think your device is not working as expected.

OTTAWA, March 11, 2020 /CNW/ - Health Canada is informing Canadians, healthcare professionals, and manufacturers about a series of cybersecurity vulnerabilities named "SweynTooth". These vulnerabilities may affect devices using the Bluetooth Low Energy (BLE) protocol. Because of these vulnerabilities, some medical devices that use BLE chips could be at risk of a cyber attack. Affected medical devices may include pacemakers, blood glucose monitors, ultrasound systems and insulin pumps.

Health Canada is not aware of any reports of patient harm related to these cybersecurity vulnerabilities in Canada or in any other country. The Department considers the risk of a cyberattack to be low. The vulnerabilties create a risk to users only when an unauthorized user would specifically seek to exploit them.

The SweynTooth vulnerabilities could allow an unauthorized user to potentially:

    --  Crash the device. The device may stop communicating or stop working.
    --  Deadlock the device. The device may freeze and stop working correctly.
    --  Bypass security. An unauthorized user may try to access device functions
        normally available only to an authorized user.

Health Canada is aware of several BLE chip manufacturers that are affected by these cybersecurity vulnerabilities:

    --  Texas Instruments
    --  NXP
    --  Cypress
    --  Dialog Semiconductors
    --  Microchip
    --  STMicroelectronics
    --  Telink Semiconductor

Health Canada is working with manufacturers to identify affected medical devices in Canada, evaluate the risks, and to ensure that necessary action is taken. The Department will update Canadians if significant new information becomes available.

Information for patients, parents and caregivers:

    --  If you have this type of device and it is not working properly, contact
        your healthcare provider or your device's manufacturer to help you
        determine whether your device could be affected and if you should take
        action.
    --  Follow instructions, including software patches, from your device's
        manufacturer to address the problem as they become available.
    --  Report any problems or adverse effects you have with your medical device
        to Health Canada, including those related to cybersecurity.

Information for healthcare professionals:

    --  Work with device manufacturers to identify medical devices that could be
        at risk.
    --  Advise patients who use affected medical devices of the steps they can
        take to mitigate risk associated with this vulnerability.
    --  Remind patients who use potentially affected medical devices to seek
        medical help right away if they think the operation or function of their
        medical device has changed unexpectedly.

Information for manufacturers and importers: 

    --  Determine whether any of your medical devices are affected. If so,
        report medical devices with this cybersecurity vulnerability to Health
        Canada at hc.meddevices-instrumentsmed.sc@canada.ca;
    --  Conduct a risk assessment, and identify and implement any required risk
        mitigation measures.
    --  Evaluate whether your device(s) should be recalled. If a recall is
        required, advise Health Canada before initiating one at
        hc.meddev-matmed.sc@canada.ca.
    --  Inform customers and patients of appropriate mitigation measures that
        can be implemented before the release of a software patch (e.g., turning
        Bluetooth Low Energy off on devices where it is not essential to device
        performance). If a software patch is required, consult Health Canada's
        Guidance for the Interpretation of Significant Change of a Medical
        Device.
    --  Report any medical device incidents brought to your attention to Health
        Canada by calling toll-free at 1-800-267-9675, or by reporting online.
    --  Health Canada has recently published guidance on Pre-market Requirements
        for Medical Device Cybersecurity to help protect patient safety. The new
        guidance describes how and when to implement strategies to reduce
        potential risks associated with medical devices that contain software
        and technology that enable communication with outside networks.

Related Links:

    --  U.S. Food and Drug Administration Safety Communication
    --  ICS-ALERT-20-063-01 SweynTooth Vulnerabilities

Également disponible en français

SOURCE Health Canada