HSA Safety Communication: Update on SWEYNTOOTH Cybersecurity Vulnerabilities Affecting Certain Bluetooth Enabled Medical Devices

The Health Sciences Authority (HSA) is providing an update to our earlier safety communication published on 6 March 2020 regarding “SWEYNTOOTH” cybersecurity vulnerabilities.

Background

2        In March, the Singapore University of Technology and Design (SUTD) research team discovered a suite of twelve cybersecurity vulnerabilities called “SWEYNTOOTH”. These vulnerabilities affected Bluetooth Low Energy (BLE) chips from at least 7 major companies. Various IOT devices, including medical devices that use these affected BLE chips and integrate wireless communication, could be potentially affected. These vulnerabilities will allow unauthorised users to access the affected devices and cause them to (i) crash, (ii) reboot and force into “deadlocked” state, or (iii) bypass security features. However, the unauthorised users will be able to access the affected devices only when they are within the bluetooth communication range.

3        HSA had quickly reached out to the manufacturers of medical devices that were supplied locally and have identified 32 medical devices affected by the twelve vulnerabilities. The manufacturers have completed the risk evaluation and implemented the necessary mitigation measures for about 90% of these affected devices. These include implementing new corrective actions or leveraging existing control measures. HSA is working closely with the manufacturers of the other 10% of devices to implement the necessary corrective actions.

New Vulnerabilities

4        The SUTD research team has recently discovered four new SWEYNTOOTH vulnerabilities which could potentially affect more medical devices.

5        You may refer to the following links for the updated information regarding this issue, including a list of the BLE chips known to be affected by the new vulnerabilities:

HSA’s Follow-up Actions

6        To-date, HSA has not received any reports of medical device adverse events related to these vulnerabilities. HSA is communicating with the SUTD researchers and working with manufacturers and their local representatives in Singapore regarding these four new vulnerabilities.

7        To address these new vulnerabilities, a software patch will have to be developed by the respective BLE semiconductor chip vendors. HSA will continue to work with the medical device manufacturers and local vendors to closely monitor their progress in implementing the necessary patches or fixes. Manufacturers, healthcare institutions and end-users should continue to follow the recommendations laid out in the previous safety communication as shown below.

Recommendations for Manufacturers

  • Refer to SingCERT alert and the SUTD publication links above to identify if your medical devices are affected by the new SWEYNTOOTH vulnerabilities.
  • Report to HSA once you have identified affected medical devices via the following link: https://form.gov.sg/5e5dfa2e84df070011f0fb99
  • Perform a risk assessment of the vulnerabilities and the impact in the context of your medical devices with reference to their intended use.
  • Develop risk mitigation plans, including interim-work-around to manage the risk while permanent fixes in the form of software patches are being developed.
  • Communicate with the healthcare institutions and the end users of your medical devices proactively and recommend necessary actions to reduce the risk and potential harm to the patients and users.

Recommendations for Healthcare Institutions and End-users:

  • Communicate with your medical device suppliers and manufacturers to find out if your device is affected by these new vulnerabilities.
  • Work with your suppliers to understand and implement the mitigation measures recommended by the medical device manufacturers.
  • Monitor your medical devices for any abnormal signs or unexpected behaviour (e.g. random shutdown or restart of the device) and report these to the suppliers and/or manufacturers.
  • Patients should seek medical help as soon as possible if you think your medical device is not working as expected
  • Healthcare professionals and end users may report their medical device related adverse events to the Medical Devices Cluster, Health Products Regulation Group, HSA at Tel: 6866 1048, or report online at www.hsa.gov.sg/adverse-events

8     As the situation evolves, HSA will assess any new information on these vulnerabilities and will update our stakeholders on any significant safety information that arises.

HEALTH SCIENCES AUTHORITY
SINGAPORE
15 JULY 2020

Consumer, Healthcare professional, Industry member, Medical devices
Published:

HSA Updates

15 Jul 2020