HSA Safety Communication: SWEYNTOOTH Cybersecurity Vulnerabilities Affecting Certain Bluetooth Enabled Medical Devices
The Health Sciences Authority (HSA) is informing our stakeholders, including medical device manufacturers, healthcare institutions, healthcare professionals and end users, on cybersecurity vulnerabilities called “SWEYNTOOTH”, which could potentially affect certain medical devices. This is a suite of twelve cybersecurity vulnerabilities recently discovered by our local research team from the Singapore University of Technology and Design (SUTD).
2 As of today, the SWEYNTOOTH vulnerabilities are known to affect Bluetooth Low Energy (BLE) chips from at least 7 major companies. Various IOT devices, including medical devices that use these affected BLE chips and integrate wireless communication, may be potentially affected. These vulnerabilities will allow unauthorised users to access the affected devices and cause them to (i) crash, (ii) reboot and force into “deadlocked” state, or (iii) bypass security features. However, the unauthorised users will be able to access the affected devices only when they are within the bluetooth communication range.
3 You may refer to the following links for more information regarding this issue, including a list of the BLE chips known to be affected by this issue:
4 To-date, HSA has not received any reports of medical device adverse events related to these vulnerabilities.
HSA’s Follow-up Actions
5 HSA is communicating with the SUTD researchers and working with manufacturers and their local representatives in Singapore. In order to address these vulnerabilities, a software patch will have to be developed by the respective semiconductor chips vendors.
6 The medical device manufacturers are required to identify the devices affected by the vulnerabilities, evaluate the risk and develop mitigation measures for the devices. HSA will work with the local vendors and closely monitor their progress in implementing the necessary patches or fixes.
Recommendations for Manufacturers
- Refer to SingCERT alert and the SUTD publication links above to identify if your medical devices are affected by the SWEYNTOOTH vulnerabilities.
- Report to HSA once you have identified affected medical devices via the following link: https://form.gov.sg/5e5dfa2e84df070011f0fb99
- Perform a risk assessment of the vulnerabilities and the impact in the context of your medical devices with reference to their intended use.
- Develop risk mitigation plans, including interim-work-around to manage the risk while permanent fixes in the form of software patches are being developed.
- Communicate with the healthcare institutions and the end users of your medical devices proactively and recommend necessary actions to reduce the risk and potential harm to the patients and users.
Recommendations for Healthcare Institutions and End-users:
- Communicate with your medical device suppliers and manufacturers to find out if your device is affected by these vulnerabilities.
- Work with your suppliers to understand and implement the mitigation measures recommended by the medical device manufacturers.
- Monitor your medical devices for any abnormal signs or unexpected behaviour (e.g. random shutdown or restart of the device) and report these to the suppliers and/or manufacturers.
- Patients should seek medical help right away if you think your medical device is not working as expected
- Healthcare professionals and end users may report their medical device related adverse events to the Medical Devices Cluster, Health Products Regulation Group, HSA at Tel: 6866 1048, or report online at www.hsa.gov.sg/ae_online
7 HSA will continue to assess any new information on these vulnerabilities and will update our stakeholders on any significant safety information that arises.
HEALTH SCIENCES AUTHORITY
6 MARCH 2020
Download pdf version here