Most of the devices we see at Promenade now involve a commercial tablet connected to the medical device. It makes perfect sense from a usability/human factors standpoint; users are familiar and the user experience is great. But of course, using a commercial, off-the-shelf mobile unit with wireless communications brings some security challenges. The FDA is now scrutinizing submissions for adherence to its pre-market cybersecurity guidance, and a new guidance (currently in draft form) is coming soon. We have had several clients come to us for help in their submission, specifically because their submission was rejected on account of cybersecurity.
When controlling a medical device over BLE, a Man-in-the-Middle (MITM) attack is a primary concern. This means that when the device and tablet communicate, a third device in the vicinity inserts itself between them and emulates both devices to each other, thereby controlling the device without the user knowing. Previously, a Medtronic insulin pump was recalled by the FDA for fear a hacker could maliciously change the insulin dosage from nearby. Implantable cardiac devices and telemetry system have had similar recalls and warnings.
But most of what we are seeing security recalls are easily avoidable if using modern BLE modules. First, make sure to use a chip that supports Bluetooth 4.2 and above. Prior to version 4.2, Bluetooth used a unique encryption key transfer during pairing, with exploitable vulnerabilities. BLE 4.2 uses the Federal Information Processing Standard (FIPS) compliant Elliptic Curve Diffie-Hellman (ECDH) algorithm for key exchange which is considered robust and secure. It also uses AES-CCM for message encryption, resulting in link-layer security protecting against eavesdropping and Man-in-the-Middle (MITM) attacks.
Just because the BLE chip supports Bluetooth 4.2, doesn’t mean you have enabled its security features. You need to verify that you are actually encrypting. There are many modes of these chips, simplest being “Just Works” – i.e. no encryption. You may be thinking it is enabled, but because of a configure error, it drops down to “Just Works”.
So, there is no reason to avoid a commercial tablet as a User Interface. Making devices more user friendly is a positive, for both safety and marketability. But, do your risk analysis and make sure you secure the communication. Want to read more about Bluetooth and cybersecurity?