The FDA is warning of new cybersecurity vulnerabilities affecting Bluetooth Low Energy communications technology used in certain medical devices. According to the agency, the issue could allow unauthorized users to wirelessly crash a device, prevent it from working or access functions limited to its users.

The FDA says the vulnerabilities – referred to as "SweynTooth" by the researchers who identified it – could impact connected worn or implanted devices such as glucose monitors, insulin pumps, pacemakers and stimulators, as well as larger devices in healthcare facilities like ultrasound devices or monitors. To the agency's knowledge, no such cases have yet to occur.

So far, the regulator has listed seven microchip manufacturers that it knows are affected: Texas Instruments, NXP, Cypress, Dialog Semiconductors, Microchip, STMicroelectronics and Telink Semiconductor. 

However, the FDA said that it is already aware of patch releases from "several" microchip manufacturers that address these issues, as well as medical-device companies that are investigating their products for vulnerabilities.

"The agency is asking medical device manufacturers to communicate to health care providers and patients which medical devices could be affected by SweynTooth and ways to reduce associated risk," the agency wrote in its announcement of the vulnerabilities. "Patients should talk to their health care providers to determine if their medical device could be affected and to seek help right away if they think their medical device is not working as expected."

WHAT'S THE IMPACT

Bluetooth Low Energy is a mainstay among devices found in hospitals and on retail store shelves. With more devices embracing wireless communications each day, a flaw in the technology providing full access to medical devices is a major risk to digital-health-product manufacturers, not to mention their customers.

"Medical devices are becoming increasingly connected, and connected devices have inherent risks, which make them vulnerable to security breaches. These breaches potentially impact the safety and effectiveness of the device and, if not remedied, may lead to patient harm," Dr. Suzanne Schwartz, deputy director of the Office of Strategic Partnerships and Technology Innovation in the FDA's Center for Devices and Radiological Health, said in a statement. "The FDA recommends that medical device manufacturers stay alert for cybersecurity vulnerabilities and proactively address them by participating in coordinated disclosure of vulnerabilities as well as providing mitigation strategies."

THE LARGER TREND

As hospitals continue to embrace the internet of things, experts have advocated for greater cybersecurity efforts and a decentralized network to limit the risks posed by connected medical devices. On the flip side, these concerns have provided a boost to startups specializing in device security and fuels funding rounds for companies like Medigate ($15 million in January 2019) and MedCrypt ($5.3 million in May 2019).

Google made waves in the fall when the WSJ reported that the tech company had been working with Ascension since 2018 on a collaboration involving patient data, called Project Nightingale. While the partnership appears to be HIPAA compliant, the news drew concerns among patients, providers and legislators.

Earlier this week, a group of three senators, including Elizabeth Warren (D-MA), Richard Blumenthal (D-CT) and Dr. Bill Cassidy (R-LA), sent a follow-up letter to Ascension CEO Joseph Impicciche regarding concerns they hold about Project Nightingale.  

This is not the first letter the trio has penned questioning the project. In November they sent a letter to Google raising a number of questions regarding the privacy and security of patient data, and received a reply in early December.

"However, because Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients," the senators wrote in the more recent letter.  

The senators laid out a number of questions surrounding patient consent of data use and privacy concerns. The senators are pressuring the health system for more information regarding the number of Google employees with access to the data and exactly what information is in the records.

"Google, for example, did not provide us with a 'full and complete list of patient-level information' that the company is receiving from Ascension, nor did it provide an exact number of healthcare records that it had received under Project Nightingale," the letter read. 

The senators also asked if patients had advance notice of Google’s retention of their EHR, and if they had the ability to opt out of data sharing. Specifically, the senators inquired about whether the patients’ data would be used for research purposes. 

The senators point out that, in the December letter from Google, the tech giant said that "providing notice to patients of uses and retention of [personal health information] by a covered entity and its business associations is the responsibility of the covered entity." The senators asked Ascension to clarify exactly what patients knew about their data being used.

The March letter ends by asking if Ascension is aware of any data breeches that would "present a risk of any outside party obtaining access to personal health information." 

WHY IT MATTERS 

As big tech moves into healthcare, patient privacy has been a concern among stakeholders.

"While improving the sharing, accessibility, and search-ability of healthcare data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny," the senators wrote in the letter.

THE LARGER TREND 

Last year, news broke that Google and the University of Chicago Medical Center were being sued for violating patients' privacy following a data-sharing partnership that the two parties inked two years ago. The class action lawsuit, which was first reported on by the New York Times, accused the hospital system of sharing data with the tech conglomerate that could be identifiable, namely doctor's notes and the time frame of their visits. 

Google has also been in hot water on the other side of the pond. In 2016 the UK's NHS signed a deal with Deep Mind that led to press and UK government criticism after an investigative report by the New Scientist revealed that Google would have access to a huge trove of patient data without the patients' express consent, a potential violation of NHS information governance principles.