Cybersecurity vulnerabilities associated with some medical devices with Bluetooth Low Energy chips
- Starting date:
- March 11, 2020
- Type of communication:
- Information Update
- Medical Device
- Source of recall:
- Health Canada
- Important Safety Information
- Healthcare Professionals
- Identification number:
- Product: Some medical devices that use Bluetooth Low Energy (BLE) chips
- Issue: Cybersecurity vulnerabilities
- What to do: Monitor whether your device is working as usual. Contact your healthcare provider if you think your device is not working as expected.
OTTAWA – Health Canada is informing Canadians, healthcare professionals, and manufacturers about a series of cybersecurity vulnerabilities named “SweynTooth”. These vulnerabilities may affect devices using the Bluetooth Low Energy (BLE) protocol. Because of these vulnerabilities, some medical devices that use BLE chips could be at risk of a cyber attack. Affected medical devices may include pacemakers, blood glucose monitors, ultrasound systems and insulin pumps.
Health Canada is not aware of any reports of patient harm related to these cybersecurity vulnerabilities in Canada or in any other country. The Department considers the risk of a cyberattack to be low. The vulnerabilties create a risk to users only when an unauthorized user would specifically seek to exploit them.
The SweynTooth vulnerabilities could allow an unauthorized user to potentially:
- Crash the device. The device may stop communicating or stop working.
- Deadlock the device. The device may freeze and stop working correctly.
- Bypass security. An unauthorized user may try to access device functions normally available only to an authorized user.
Health Canada is aware of several BLE chip manufacturers that are affected by these cybersecurity vulnerabilities:
- Texas Instruments
- Dialog Semiconductors
- Telink Semiconductor
Health Canada is working with manufacturers to identify affected medical devices in Canada, evaluate the risks, and to ensure that necessary action is taken. The Department will update Canadians if significant new information becomes available.
Information for patients, parents and caregivers
- If you have this type of device and it is not working properly, contact your healthcare provider or your device’s manufacturer to help you determine whether your device could be affected and if you should take action.
- Follow instructions, including software patches, from your device’s manufacturer to address the problem as they become available.
- Report any problems or adverse effects you have with your medical device to Health Canada, including those related to cybersecurity.
Information for healthcare professionals
- Work with device manufacturers to identify medical devices that could be at risk.
- Advise patients who use affected medical devices of the steps they can take to mitigate risk associated with this vulnerability.
- Remind patients who use potentially affected medical devices to seek medical help right away if they think the operation or function of their medical device has changed unexpectedly.
Information for manufacturers and importers
- Determine whether any of your medical devices are affected. If so, report medical devices with this cybersecurity vulnerability to Health Canada at firstname.lastname@example.org;
- Conduct a risk assessment, and identify and implement any required risk mitigation measures.
- Evaluate whether your device(s) should be recalled. If a recall is required, advise Health Canada before initiating one at email@example.com.
- Inform customers and patients of appropriate mitigation measures that can be implemented before the release of a software patch (e.g., turning Bluetooth Low Energy off on devices where it is not essential to device performance). If a software patch is required, consult Health Canada’s Guidance for the Interpretation of Significant Change of a Medical Device.
- Report any medical device incidents brought to your attention to Health Canada by calling toll-free at 1-800-267-9675, or by reporting online.
- Health Canada has recently published guidance on Pre-market Requirements for Medical Device Cybersecurity to help protect patient safety. The new guidance describes how and when to implement strategies to reduce potential risks associated with medical devices that contain software and technology that enable communication with outside networks.
Important Safety Information
Who is affected
General Public, Healthcare Professionals
- Health Canada
- 1-866 225-0709
- Date modified: