Is FDA doing enough to support medical device security?
Medical device vendors reported 400 percent more vulnerabilities per quarter since the Food and Drug Administration released its cybersecurity guidance in 2016, according to new research from MedCrypt.
There were just 12 advisories released between 2013 and Dec. 2016 from six manufacturers, or an average of just under one per month. Between Dec. 29, 2016 and Aug. 1, 2018, there were 35 alerts from 18 vendors, or about 4.5 per month.
The increase in ICS-CERT disclosures is potentially a sign of growing compliance and may also reflect a maturity in security risk assessments, explained Mike Kijewski, MedCrypt CEO.
“This may actually be a good thing, showing that medical device vendors are starting to take cybersecurity seriously,” Kijewski said.
The data also showed a decrease in Common Vulnerability Scoring System (CVSS) scores, which “may be the beginning of a trend in increased willingness to disclose non-critical vulnerabilities.”
While these stats show an upward trend in disclosures and awareness, there’s a catch: These alerts are from just seven of the top medical device manufacturers, and there are certain devices underrepresented in the advisory list.
“The kinds of vulnerabilities that have been found are ‘low hanging fruit,’ so we expect more technologically complicated vulnerabilities to be found in the future,” said Kijewski.
What’s also notable about the data is that only seven of the top 36 medical device vendors have ever made an ICS-CERT vulnerability alert, which leaves 22 top vendors with products that use a computer or connect to a health system.
“We expect the rate of disclosure to increase by at least another 400 percent, as these other medical device companies begin participating in cybersecurity vulnerability disclosures,” he said.
According to the report, there are three valid reasons these manufacturers have not made a disclosure: the device is not computerized or network-enabled, there are no vulnerabilities or the vendor is unaware of or has not yet discovered a flaw.
“[Vendors] should continue to ensure their product development protocols include proper pre- and postmarket cybersecurity testing,” the report authors wrote. “We also ask vendors in this situation to consider collaborating with a cybersecurity company, perhaps through a formal bug bounty program.”
However, to Kijewski, “it’s unlikely that those device vendors that have never put out an advisory have devices that are totally free from cybersecurity vulnerabilities; they’re just not talking about it.”
"It’s unlikely that those device vendors that have never put out an advisory have devices that are totally free from cybersecurity vulnerabilities; they’re just not talking about it."
Mike Kijewski, MedCrypt
Is it enough?
The question is hard to answer definitively: We’re not there yet, but we’re moving in the right direction.
“Many analyses of medical device vulnerabilities take a ‘sky is falling’ perspective,” said Kijewski. “We feel that much progress has been made in the last two to four years, and our industry is on a trajectory that suggests we’ll have significantly more secure devices in the future than we did in the past.”
As threats on the healthcare sector began to increase in the last few years, medical device flaws were seen as just a potential threat. Operating on legacy platforms, devices are often tough to patch. Combined with the long list of other cybersecurity to-do lists -- devices are often pushed to the bottom of the pile.
But several recent reports show that mentality needs to change.
A team of McAfee researchers are just the latest to report how easy it is to hack into medical devices. Revealed at DEF CON in Las Vegas, the researchers were able to modify patient vitals in real-time by mimicking data sent from medical equipment clients to central monitoring systems.
While hackers didn’t directly breach the monitor itself, the researchers easily altered the data transmitted to the station through the data stream that connects patient monitors to a central hub. This would let a hacker change doses and alter data on patient heart rates, blood pressure and oxygen levels.
The modified data would be undetectable to the user, meaning a provider could mistakenly give the wrong medication, test or other medical decisions based on the false data.
The research is similar to another study presented at the HIMSS Security Forum in June by University of California Cyber Team members Christian Dameff, MD and Jeff Tully, MD.
Through a simulation, Dameff and Tully showed just what happens when a hacker breaches a patient’s medical device: The patient (portrayed by an actor) kept dying and coming back to life, and the provider couldn’t figure out what was wrong.
What’s worse is that none of the care team members were trained on how to react to a medical device hack.
While many healthcare leaders have said these types of scenarios are relatively low, “the argument that something with a likelihood of being rare isn’t a reason to not address it,” said Dameff. “We need talk about more than just devices -- also infrastructure.”
“The risk is involved in every aspect of care,” he added. “It’s important to be aware of the entire picture.”
"For an organization to patch vulnerabilities they must have the budget, resources and insight from device manufacturers to even begin supporting these fixes."
Vidya Murthy, MedCrypt
For now, the industry is moving in the right direction and is fueled by the open dialogue and FDA guidance on disclosures. What’s also helping is white hat researchers finding the flaws, which brings a realist perspective to the reality of the threat and fuels the discussion on how to begin fixing the vulnerabilities.
To Kijewski, the FDA’s guidance could also be more detailed to help direct “vendors toward security features that would mitigate more complicated vulnerabilities.”
For now, healthcare organizations need to improve patch management policies to ensure that, at the bare minimum, disclosed vulnerabilities are closed off to unauthorized access.
WannaCry and Petya were massive reminders to the industry to patch known vulnerabilities, as those viruses exploited weaknesses that the impacted organizations failed to patch. But even after falling victim in May 2017, all of the U.K. National Health Service’s trusts failed the government-issued cybersecurity tests just one-year later.
And one of its biggest flaws? Some trusts had failed to patch their systems, the main reason NHS fell victim to WannaCry. As threats increase in sophistication, organizations need to create better patch management policies.
Healthcare organizations struggle with patching for several reasons. Vidya Murthy, MedCrypt vice president of operations, explained that especially for devices that offer life-saving clinical services, “it is a non-starter to take it offline to update it.”
“Healthcare delivery organizations, reasonably, prioritize clinical excellence,” said Murthy. “Then there's the population of devices, which are no longer on the hospital network as they've gone home ‘with’ the patient.”
“For an organization to patch vulnerabilities they must have the budget, resources and insight from device manufacturers to even begin supporting these fixes,” she added.
As vendors continue improving disclosure policies, it’s important for the industry to not shame those manufacturers as having bad security, explained Kijewski. “This is not helpful, as it dissuades other device vendors from disclosing vulnerabilities voluntarily.”
What’s needed is open dialogue and supporting those vendors for taking a proactive approach to the security of their products, he said.
Healthcare Security Forum
The Boston forum to focus on business-critical information healthcare security pros need Oct. 15-16.