According to the National Vulnerability Database, 18,353 vulnerabilities were reported in 2020. That’s nearly three times the volume of vulnerabilities reported five years ago, and higher than any year in the previous two decades. Given the rise in connected devices, this increase is not entirely unexpected. If that’s the case, shouldn’t we be seeing more vulnerability disclosures related to medical devices?
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) publishes advisories for vulnerabilities in industrial control systems. Each advisory is given an identification number, which begins with the letters ICSA or—for vulnerabilities related to medical equipment—ICSMA. This helps the healthcare industry readily identify CISA advisories that apply to medical devices, and it also sheds light on how few medical device manufacturers have issued coordinated vulnerability disclosures with CISA in the last year. Although there are thousands of medical device manufacturers in the U.S., only eleven companies reported ICSMA vulnerabilities to the agency in 2020, according to the agency’s ICS-CERT Advisories list.
As medical device manufacturers, we have an essential role in protecting the infrastructure of healthcare around the world. To ensure our products are used safely and securely, we need to be proactive in sharing information about the latest emerging threats, new vulnerabilities in our technologies, and what our stakeholders can do to protect themselves. It’s time to make 2021 the year we move healthcare, as an industry, toward cybersecurity maturity. We can begin by embracing the following truths:
Defensive strategies are not enough.
Healthcare is the number one target for cybercriminals. We design medical devices to be secure, and we implement reasonable administrative, technical and physical safeguards to protect against cybersecurity incidents and privacy breaches. However, defensive tactics are not enough when cybercriminals are working around the clock, 365 days a year to exploit vulnerable systems. With systems and threats continuously evolving, no system can be 100% protected against any and all vulnerabilities. That’s why we augment defensive strategies with resiliency measures.
Resiliency is about answering the question, “How quickly can you recover from an attack?”—which is every bit as important as combining defensive and offensive strategies. A strong defensive posture can help prevent cyberattacks. Resiliency measures—like enabling full system backups—presume that you will be attacked and seek to limit the impact. This requires ongoing, two-way communication between healthcare providers and medical device manufacturers, because each has an important role to play in keeping medical device technology operational and secure.
Talking about cybersecurity vulnerabilities shouldn’t be taboo.
Healthcare providers can’t protect against vulnerabilities they don’t know about. That’s why we need to take the stigma out of talking about vulnerabilities. A recent example is Ryuk (R-EE – Y OO K) ransomware, which hit dozens of U.S. hospitals in late 2020. While phishing attacks were the most common point of entry, cybercriminals also used third-party software vulnerabilities to deny access to a device or its data. Even when hospitals have workarounds—such as restoring systems from backup and using paper records—the interruption can severely impact patient care. As medical device manufacturers, we all need to be transparent about vulnerabilities that impact our products or third-party components used in our products. This enables customers to apply patches in a timely manner and also allows them to apply compensating controls and mitigations to reduce risk.
It’s about doing the right thing for customers and patients.
Vulnerability disclosure is essential, not only because it demonstrates compliance with the U.S. Food and Drug Administration (FDA) Postmarket Management of Cybersecurity in Medical Devices guidance and industry best practices noted in the Healthcare and Public Health Sector Medical Device and Health IT Joint Security Plan, but also it enables customers to keep their systems secure and up to date. In cases where a patch is being evaluated, it gives the customer insight about compensating controls and mitigations that can reduce risk. It’s about going beyond compliance and doing what is right for customers and their patients—and ultimately protecting what society values most. To get there, medical device manufacturers need to educate customers about coordinated vulnerability disclosure processes.
In healthcare, there is a patient at the end of everything we do. That’s why the stakes are so high. It’s time to recognize that defensive strategies are not enough, and that talking openly about vulnerabilities in our technologies allows customers to strengthen their cybersecurity defenses and their resiliency. Embracing these truths and enabling ongoing, transparent communication between medical device manufacturers and healthcare providers serves patients’ best interests and demonstrates the industry’s commitment to cybersecurity maturity.
Nastassia Tamari is the Director of Information Security Operations for BD, a global medical technology company that is advancing the world of health by improving medical discovery, diagnostics, and the delivery of care. Nastassia is responsible for leading information security operations at BD, including incident response, vulnerability management, threat response, insider threat, and monitoring and detection teams across enterprise, product, and manufacturing systems for BD’s global environment.