Recently, HSA shared their findings on a set of cybersecurity vulnerabilities called “BrakTooth” that has been affecting several types of active medical devices. These include IOT devices and medical devices that use specific Bluetooth Link Manager Protocols. Ten major companies have been identified as using Bluetooth Classic Chips and affected as of today.
Medical Devices exposed to BrakTooth will give way to intruders to execute deadlocks, crashes, and arbitrary codes. These events will lead to failure of critical device functions. To counter these, manufacturers have developed security patches for their respective Bluetooth chips in the affected devices.
Stakeholders can access SingCERT Alert and SUTD Publication for detailed information regarding the issues and how to determine if their device is affected by BrakTooth:
- SingCERT Alert: https://www.csa.gov.sg/singcert/Alerts/al-2021-051
- SUTD Publication: http://www.braktooth.com
In addressing the mentioned cybersecurity vulnerability, stakeholders are also encouraged to collaborate with the developers/manufacturers. HSA shared the following pointers for stakeholder’s reference:
- Identify affected devices via SingCERT Alert or SUTD Publication.
- Report the affected devices to HSA using the following email address: HSA_MD_INFO@hsa.gov.sg
- Assess the risks that the vulnerabilities present and its impact to the devices with respect to their intended uses
- Plan for risk mitigation that includes short – term work – around as a management solution until a security patch is released.
- Implement security patches on time on all affected devices.
- Inform healthcare institutions as well as medical device end users about the risk of the cybersecurity vulnerabilities and the harm to patients and users.