Securing BLE for Medical Devices

June 30, 2019
Need help on this topic?
Contact Us

Most of the devices we see at Promenade now involve a commercial tablet connected to the medical device.  It makes perfect sense from a usability/human factors standpoint; users are familiar and the user experience is great. But of course, using a commercial, off-the-shelf mobile unit with wireless communications brings some security challenges. The FDA is now scrutinizing submissions for adherence to its pre-market cybersecurity guidance, and a new guidance (currently in draft form) is coming soon.  We have had several clients come to us for help in their submission, specifically because their submission was rejected on account of cybersecurity.

Man-in-the-Middle Attack


When controlling a medical device over BLE, a Man-in-the-Middle (MITM) attack is a primary concern. This means that when the device and tablet communicate, a third device in the vicinity inserts itself between them and emulates both devices to each other, thereby controlling the device without the user knowing.  Just 2 days ago (as of writing this post) a Medtronic insulin pump was recalled by the FDA for fear a hacker could maliciously change the insulin dosage from nearby.  Implantable cardiac devices and telemetry system have had similar recalls and warnings.


But most of what we are seeing security recalls are easily avoidable if using modern BLE modules. First, make sure to use a chip that supports Bluetooth 4.2 and above. Prior to version 4.2, Bluetooth used a unique encryption key transfer during pairing, with exploitable vulnerabilities.  BLE 4.2 uses the Federal Information Processing Standard (FIPS) compliant Elliptic Curve Diffie-Hellman (ECDH) algorithm for key exchange which is considered robust and secure. It also uses AES-CCM for message encryption, resulting in link-layer security protecting against eavesdropping and Man-in-the-Middle (MITM) attacks.  


Just because the BLE chip supports Bluetooth 4.2, that doesn’t mean you have enabled its security features.   You need to verify that you are actually encrypting.  There are many modes of these chips, simplest being “Just Works” – i.e. no encryption.  You may be thinking it is enabled, but because of a configure error, it drops down to “Just Works”.


So, there is no reason to avoid a commercial tablet as a User Interface.  Making devices more user friendly is a positive, for both safety and marketability.  But do your risk analysis and make sure you secure the communication.


Frances Cohen

Frances Cohen is President of Promenade Software Inc., a leading software services firm specializing in medical device and safety-critical system software. Frances has more than 20 years of experience leading software teams for medical device software. Starting with heart defibrillators for Cardiac Science  and following with  Source Scientific LLC and BIT Analytical Instruments Inc., Frances has overseen dozens of projects through development and the FDA, including IDEs, 510(k)s, and PMAs.   Frances has a B.S. in computer engineering from the Technion, Israel Institute of Technology.

About Promenade Software

Promenade Software, Inc. specializes in software development for medical devices and other safety-critical applications.
Promenade is ISO 13485 and 9001 certified.

Contact

Promenade Software, Inc.
16 Technology Drive, Suite 100
Irvine, CA 92618, U.S.A.
email: info@promenadesoftware.com
phone: (949) 333-4634
Contact Form