In brief
On 1 September 2021, the Health Sciences Authority (HSA) published an advisory warning stakeholders of a new suite of cybersecurity vulnerabilities, known as “BrakTooth”, affecting medical devices that utilize certain Bluetooth Link Manager Protocols.
Recommended actions
For more information on the BrakTooth vulnerabilities and on how to identify whether your medical device is affected, the HSA recommends referring to the Singapore Computer Emergency Response Team (SingCERT) alert here, as well as the Singapore University of Technology and Design publication on BrakTooth here.
In depth
On 1 September 2021, the HSA published an advisory warning stakeholders of a new suite of cybersecurity vulnerabilities, known as “BrakTooth”, affecting medical devices that utilize certain Bluetooth Link Manager Protocols.
The BrakTooth vulnerabilities allow attackers within radio range to trigger crashes or deadlocks, or execute arbitrary code that will cause the device’s critical functions to fail.
Security patches developed by the respective Bluetooth chip developers have to be applied to affected devices in order to resolve the vulnerabilities.
Industry stakeholders have been advised to run checks on their existing medical devices to see if there are any devices affected by BrakTooth. Where there are vulnerabilities identified, stakeholders should report the matter (including the affected devices) to HSA at HSA_MD_INFO@hsa.gov.sg.
Stakeholders are also advised to conduct risk assessments in relation to the vulnerabilities, including on the impact on the affected medical device’s intended use. The vulnerabilities should also be proactively conveyed to healthcare institutions and to end users of the affected medical devices, alongside recommended steps to take to reduce potential harm to users and patients.
SingCERT, which is the official government agency facilitating the detection, resolution and prevention of cybersecurity incidents in Singapore, has recommended that users and administrators of the compromised devices immediately install the latest security updates from the relevant manufacturers. As a short-term mitigation measure, turning off the device’s Bluetooth communications protocol when not in use is also advised.
Baker McKenzie Wong & Leow is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
