FORT MEADE, Md. - Joe K never had to worry about wearing his hearing aid to work at NSA buildings—until he upgraded his device a few years ago.
Joe, who is now the People with Disabilities Employee Resource Group (PWD ERG) Deaf and Hard of Hearing Subcommittee (DHHSC) chair, formerly used an analog hearing aid, which didn’t present a security risk. When he upgraded, he didn’t realize it was a problem until he was approached by a colleague wondering about the process for his new device to be approved by NSA Security & Counterintelligence (S&CI).
“Using hearing aids can be second nature, like putting your glasses on. Sometimes you don’t think about the technology behind it,” Joe said. “Many of us [deaf and hard of hearing affiliates] weren’t aware of the security requirements to bring them in NSA buildings.”
Starting in 2019, hearing aids began incorporating “hands-free calling,” a two-way audio Bluetooth technology. The new technology, however, presented an increased security threat to NSA — the potential for the transmission of classified conversations outside of a Sensitive Compartmented Information Facility (SCIF).
The issue with hearing aid technological improvements eventually brought together a number of stakeholders — including NSA Security & Counterintelligence (S&CI), NSA Research, and a Walter Reed Medical Center audiologist with close ties to the Veterans Administration (VA). The goal was to figure out how the deaf and hard of hearing community could take advantage of the new technology without compromising security.
“The reason manufacturers are putting two-way audio Bluetooth in hearing aids is because it improves audio quality. It allows people to hear and speak through phone calls more clearly without holding the phone up to their ear and mouth,” said Jason B, technology officer for the PWD ERG DHHSC. “In the past, many hearing aids included a one-way Bluetooth feature which did not pose a threat. But lately, the two-way audio Bluetooth feature is being added as standard in all hearing aids, and that is where it became pretty problematic.”
Some jobs at NSA specifically require keen hearing to listen to and translate audio samples. Without the support of a hearing aid, some affiliates would be unable to perform their jobs successfully, Jason explained.
“I met with the chief of S&CI to brief him on the importance of hearing aids and how they allow members of the DHH community to do our jobs,” Jason said. “Mitigating security risks of modern hearing aid devices is essential because there are currently thousands of NSA employees with both diagnosed and undiagnosed hearing loss, and potentially thousands more that could be impacted in the future.”
S&CI’s Office of Physical Security conducted some initial testing of devices equipped with this new two-way audio Bluetooth technology and determined the new hands-free calling feature would, in fact, introduce a wireless microphone into a SCIF, presenting a big security challenge.
“Mitigations were being considered to address the new challenge but the COVID pandemic intervened,” said Heather J, technical director in S&CI’s Office of Physical Security. “We were working hard because we knew this was important, but we couldn’t rush something that could have such serious implications.”
As denials of hearing aid applications began to pile up, some of the Agency ERGs stepped in to advocate on behalf of the affected workforce, according to Jason. The American Veterans ERG (AV ERG) raised the recurring denial concerns to the PWD ERG.
Around the same time as the spike in hearing aid denials at NSA, an audiologist from Walter Reed Medical Center noticed a large number of her VA patients were returning new devices she had prescribed due to their inability to wear them at work. The audiologist contacted S&CI to gain insight into the problem, and S&CI engaged Research’s Laboratory for Advanced Cybersecurity Research (LACR) to help find a solution.
One of the biggest challenges with assessing medical devices with two-way audio Bluetooth is that most of the information about the devices is proprietary, according to Stephanie P, Internet of Things (IoT) Security team lead for LACR’s Trust Mechanisms office.
“We were really fortunate that the audiologist worked closely with Veterans Affairs and had connections with the six major companies that manufacture hearing aids,” Heather said. “She was able to provide context to them on the hands-free Bluetooth feature, share the challenges it presented to employers, and discuss potential solutions.”
When a new hearing aid needed to be evaluated, the LACR team was there with its tailored test scenarios, Stephanie explained.
“We provided detailed testing reports and vulnerability analysis, empowering senior leadership to make informed decisions on which devices to allow into our secured spaces,” she said. “One of the largest hearing aid manufacturers offered a disablement mitigation,” by programming software into its devices that would allow only the audiologist to deactivate the two-way audio Bluetooth feature. The user would still have the benefit of streaming the audio, one-way, directly into their hearing aid without external transmission.
“This viable mitigation was a monumental first step in ensuring NSA affiliates could have access to the latest advances in smart medical technology while at work,” said Stephanie, explaining Research doesn’t normally do this type of work but was pulled in to lead the Bluetooth assessment because of its expertise in IoT security.
In early 2023, the Agency announced it would allow this company’s Bluetooth hearing aids in SCIFs after going through the approval process.
The challenge of these two-way audio Bluetooth medical devices isn’t limited to NSA, according to Heather, who has been partnering with Office of the Director of National Intelligence (ODNI) to address concerns across the Intelligence Community.
“I wrote the current [NSA hearing aid Bluetooth mitigation] policy and am currently working with ODNI to write the medical device policy, which will apply to the entire Intelligence Community,” Heather said.
Both Heather and Stephanie are thrilled at the progress that has been made.
“I am extremely happy and proud that I was able to play a part in allowing certain Bluetooth enabled hearing aids into NSA SCIFs,” Stephanie said. “It is fantastic that this work is enabling employees with hearing loss to be able to take advantage of the latest advancements in hearing aid technology while they’re at work.”
“Balancing the needs of our workforce with the security of our facilities is getting harder as technologies get more advanced,” Heather agreed. “We’re really excited to have a way forward for this hearing aid feature, and we’re continuing to look at novel ways to mitigate new and emerging technical threats to maximize our ability to permit the latest and greatest in technology without compromising our missions.”
NSA Media Relations
MediaRelations@nsa.gov
443-634-0721