In brief

On 1 September 2021, the Health Sciences Authority (HSA) published an advisory warning stakeholders of a new suite of cybersecurity vulnerabilities, known as “BrakTooth”, affecting medical devices that utilize certain Bluetooth Link Manager Protocols.

Recommended actions

For more information on the BrakTooth vulnerabilities and on how to identify whether your medical device is affected, the HSA recommends referring to the Singapore Computer Emergency Response Team (SingCERT) alert here, as well as the Singapore University of Technology and Design publication on BrakTooth here.

In depth

On 1 September 2021, the HSA published an advisory warning stakeholders of a new suite of cybersecurity vulnerabilities, known as “BrakTooth”, affecting medical devices that utilize certain Bluetooth Link Manager Protocols.

The BrakTooth vulnerabilities allow attackers within radio range to trigger crashes or deadlocks, or execute arbitrary code that will cause the device’s critical functions to fail.

Security patches developed by the respective Bluetooth chip developers have to be applied to affected devices in order to resolve the vulnerabilities.

Industry stakeholders have been advised to run checks on their existing medical devices to see if there are any devices affected by BrakTooth. Where there are vulnerabilities identified, stakeholders should report the matter (including the affected devices) to HSA at [email protected].

Stakeholders are also advised to conduct risk assessments in relation to the vulnerabilities, including on the impact on the affected medical device’s intended use. The vulnerabilities should also be proactively conveyed to healthcare institutions and to end users of the affected medical devices, alongside recommended steps to take to reduce potential harm to users and patients.

SingCERT, which is the official government agency facilitating the detection, resolution and prevention of cybersecurity incidents in Singapore, has recommended that users and administrators of the compromised devices immediately install the latest security updates from the relevant manufacturers. As a short-term mitigation measure, turning off the device’s Bluetooth communications protocol when not in use is also advised.