Endpoint Security , Governance & Risk Management , Internet of Things Security
FDA: Strong Smartphone Magnets Can Affect Cardiac Devices
But Do Powerful Consumer Device Magnets Also Pose Security Risks?The Food and Drug Administration is warning that strong magnets in some cellphones and smartwatches can interfere with the performance and safety of certain pacemakers and other implantable devices. But do they also pose security risks?
See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce
The FDA recently issued an advisory after Henry Ford Health System in January issued a study that found powerful magnets contained in Apple’s iPhone 12 can potentially deactivate certain implantable cardiac devices, such as defibrillators (see: Study: iPhone 12 Magnets Deactivate Cardiac Devices).
The FDA advisory, however, doesn't identify by brand the types of "newer cell phones, smartwatches, and other consumer electronics with high field strength magnets" that may temporarily affect the normal operation of implanted electronic medical devices, such as pacemakers and implantable defibrillators.
The agency acknowledges it reviewed recent studies describing the possibility of high field strength magnets causing certain implanted medical devices to switch to “magnet mode” and suspend normal operations until the magnet is moved away from the medical device.
"Based on our review, we decided to conduct our own testing to confirm and help inform appropriate recommendations for patients and consumers," the FDA says.
In a statement provided to Information Security Media Group, the FDA says: "In this case, the risk to the device comes from the magnetic field, and is therefore not a cybersecurity risk. While it presents a physical risk, it is not a cybersecurity risk."
The FDA declined to comment on the specific implantable devices and magnets that are referenced in the advisory. The agency also declined to comment on whether certain magnets could pose potential security issues to implantable devices.
Vigilance Warranted
Nevertheless, some security experts say healthcare entities need to be proactive in assessing the risks posed to medical devices by powerful magnets in consumer electronics.
"Facilities should keep in mind strong magnets - like the ones contained in smartphones - in their security risk assessments," says Francisco Rodríguez-Campos, senior project officer of medical imaging and device evaluation at patient safety institute ECRI.
"A strong magnet in very close proximity could pose an availability concern for the patient’s implantable cardiac device and its continuous delivery of care," he notes.
Malicious actors potentially could exploit the issues posed by powerful magnets to wage targeted attacks, some security experts say.
"Since there are many other ways to harm individuals in close physical proximity, the 'advantage' here is that perhaps this could be done discreetly, for example, on a long ride in a crowded elevator," says Elad Luz, a researcher at the healthcare security firm CyberMDX.
"Consider, however, that implanted devices would usually log this activity, which could later be investigated to understand this was a malicious act," he adds.
'Magnet Mode'
The FDA says many implanted medical devices are designed with a "magnet mode" to allow for safe operation during certain medical procedures, such as undergoing an MRI scan.
"These safety features are typically engaged by physicians with the use of a high field strength magnet that is placed near the implanted device, placing it into a 'magnet mode.' Removal of the magnetic field causes the device to return to normal operation," the agency notes.
But when near high-strength magnets such as those contained in some consumer electronics, medical devices with a magnetic safe mode could stop working or change how the device works, the FDA warns. "For example, a cardiac defibrillator may be unable to detect tachycardia events," the agency says.
"Cardiac implanted electronic devices are intended to support heart rhythm disorders, such as slow or fast heart rates. When the device stops working, a patient may experience dizziness, loss of consciousness or even death if therapy is not delivered when lifesaving shocks are required."
Taking Action
The FDA says the advisory aims to make patients and healthcare providers aware of the potential risks so they can take simple preventive measures.
One of the most important measures, the agency says, is to keep consumer electronics, including certain cellphones and smartwatches, 6 inches away from implanted medical devices.
"Do not carry consumer electronics in a pocket over the medical device. Check your device using your home monitoring system, if you have one," the FDA advises.
"We believe the risk to patients is low and the agency is not aware of any adverse events associated with this issue at this time," the FDA says. "However, the number of consumer electronics with strong magnets is expected to increase over time."
The agency says it will continue to monitor the effects of consumer electronics on the safe operation of implanted medical devices.
Bigger Worries?
Electromagnetic interference can also raise data integrity issues, some security experts say.
"Security concerns can arise based on electromagnetic interference in terms of the integrity of data that the device needs to be able to perform its functions. … Depending upon the strength of the interference, it may render the device inoperable and potentially have clinical or life safety impact," says former Boston Medical Center CISO Sumit Sehgal, who's now product director at device security firm Armis.
"This is an evolving area of research as we usher into the use of nanotechnology alongside legacy implantable devices that affect the type of threat modelling done today in order to identify risk," he notes.
"Interference can manifest itself not only through the electromagnetic spectrum, but through airspace technologies as well, such as Bluetooth and other peer-to-peer protocols," Sehgal notes.
In addition to cell phones and smartwatches, strong magnets are often found in speakers, hard drives "and other devices which may all trigger the issue discussed [in the FDA advisory]," says Luz of CyberMDX. "The research and FDA advisory specifically mentions mobiles and smartwatches probably because they are more likely to be wearable and in close proximity to the implanted device."
Sehgal adds: "Healthcare organizations, along with their risk management strategy, should have appropriate threat modelling exercises that align enterprise risk with clinical risk."