Cybersecurity for Bluetooth Medical Devices: Webinar

Bluetooth Low Energy (BLE) is a commodity protocol used by all kinds of devices for communication, connectivity and interoperability. Your sensitive BLE-enabled medical device will be sharing the same spectrum as unsecured, everyday consumer electronics. How do you address the security challenges that arise from running a device on BLE without compromising patient safety and device usability?

On June 29th, 2023, Orthogonal and MedSec held a webinar on cybersecurity for Bluetooth-enabled medical devices, part two of our joint Bluetooth Low Energy for Medical Devices Webinar Series. This webinar featured a discussion with Michelle Jump, CEO of MedSec, Buddy Smith, MedSec’s Director of Technical Consulting, and Bernhard Kappe, Orthogonal’s CEO and Founder. It was moderated by Randy Horton, Chief Solutions Officer at Orthogonal.

Video Recording

Key Takeaway Points

• The FDA and its counterparts in other countries are starting to demand more documentation around security for connected medical devices than ever before. To align your Bluetooth cybersecurity approach with the FDA’s requirements, you should capture Bluetooth in your threat model and risk assessment, create requirements around Bluetooth to ensure the most secure configuration possible, and develop a plan for Over the Air (OTA) firmware updates. If your device relies on a cloud system for communication, you should also develop a plan for when that system goes down.

• When your medical device hardware is connected via Bluetooth to a consumer’s smartphone, it is surrounded by other devices that may be talking to the smartphone over Bluetooth. Other unrelated apps and devices could potentially communicate with your device or your app. To mitigate the risk, it’s recommended that you widen the scope of your penetration testing and add extra layers of encryption to prevent app tampering
• Vulnerabilities may come from within the subcomponents that make up your software, like the Bluetooth chip or the Bluetooth stack. Maintaining a detailed Software Bill of Materials (SBOM) will aid your development and be a great resource for regulators. It’s also recommended to establish consistent change management processes, as well as a cycle for software updates, to keep up with the fast pace of cybersecurity
• Cybersecurity needs to be part of your development process from the start. Penetration tests, V&V and other kinds of tests inform your design and development, rather than being done at the end, and should take into account all parts of the connected system
• Best practices from organizations such as OWASP, NIST and Bluetooth SIG are highly recommended when designing your application.

Speakers

Bernhard Kappe, CEO and Founder, Orthogonal

Bernhard Kappe is the Founder and CEO of Orthogonal. For over a decade, Bernhard has provided thought leadership and innovation in the fields of Software as a Medical Device (SaMD), Digital Therapeutics (DTx) and connected medical device systems. As a leader in the MedTech industry, Bernhard has a passion for launching successful medical device software that makes a difference for providers and patients, as well as helping companies deliver more from their innovation pipelines. He’s the author of the eBook Agile in an FDA Regulated Environment and a co-author of the AAMI Consensus Report on cloud computing for medical devices. Bernhard was the founder of the Chicago Product Management Association (ChiPMA) and the Chicago Lean Startup Challenge. He earned a Bachelor’s and Masters in Mathematics from the University of Pennsylvania, and a Bachelor’s of Science and Economics from the Wharton School of Business.

Michelle Jump, CEO, MedSec

Michelle Jump is the Chief Executive Officer at MedSec, where she is responsible for providing strategic leadership, training and education to the medical device industry and thought leadership in the area of medical device cybersecurity practices and process. She also participates in a variety of domestic and international standards, as well as relevant industry and governmental initiatives to support security within the healthcare industry.

Buddy Smith, Director of Technical Consulting, MedSec

Buddy Smith is a security engineer focused on protecting electronic devices from attack. He has an extensive background in firmware development, bringing his passion for embedded development to the security world. In his 15 years of experience, Buddy has worked in cryptography, hardware design, firmware engineering, and information security. In his role at MedSec, he has supported clients with regulatory filings, performed penetration tests of devices and created threat models for systems, from long-lived implantable devices to bedside infusion pumps.

Buddy holds a Bachelor of Science in Computer Engineering from the Georgia Institute of Technology, and is an Offensive Security Certified Professional. He is also an IEEE Senior member.

Moderator

Randy Horton, Chief Solutions Officer, Orthogonal
Randy Horton is Chief Solutions Officer at Orthogonal, a software consulting firm that improves patient outcomes faster by helping MedTech firms accelerate their development pipelines for Software as a Medical Device (SaMD), digital therapeutics (DTx) and connected medical device systems. Orthogonal makes that acceleration happen by fusing modern software engineering and product management tools and techniques (e.g., Agile, Lean Startup, User-Centered Design and Systems Thinking) with the regulated focus on device safety and effectiveness that is at the heart of MedTech.

Horton serves as Co-Chair for AAMI’s Cloud Computing Working Group, as well as AAMI CR:510(2021) and the in-process Technical Information Report #115, all of which address how to safely move medical device computing functions into the cloud. He is a frequent speaker at conferences and webinars, including events hosted by AdvaMed, AAMI, HLTH, RAPS and the Human Factors and Ergonomics Society (HFES).