The waning stigma of medical device cybersecurity vulnerabilities

Google recently came under fire after a cybersecurity vulnerability in their Google+ product was discovered to have exposed the private data of millions of users.

No company wants to see their name in the headlines for this exact reason, especially if a vulnerability in your product could not only result in a data loss, but also in physical harm. Many medical device and healthcare IT vendors have been reticent to discuss cybersecurity vulnerabilities found in their products. Vendors are fearful they will be seen as negligent if they admit their products have security vulnerabilities.

But this fear is misplaced, and the hesitancy to discuss the security posture of medical devices actually makes the problem worse.

Reading about the Google vulnerability in the Wall Street Journal’s coverage of it reveals that Google is primarily criticised for waiting six months to disclose the problem, not for having the problem in the first place. A company that discusses the issue candidly is usually met with a positive response from the public and media, improving their customers’ trust in the company and in its products. In July of 2018, LabCorp detected unusual behavior on their network and proactively shut down portions of its computer network, taking certain business functions down with it. The company communicated openly what it knew while an investigation progressed. A look back at the media coverage of the event shows that commentators identified LabCorp’s proactive approach to the problem as evidence of a well-functioning cybersecurity protocol, rather than negligent IT practices.

If responding proactively to cybersecurity incidents is good for a company’s image, why are there so many examples of companies in the healthcare sector being slow to acknowledge cybersecurity vulnerabilities?

The answer may stem from the fines associated with HIPAA breaches. Many companies have seen organizations fined for exposing patient records (breaching HIPAA regulations in the process), and want to minimize their chances of being fined for such an event. So when a potential vulnerability is found, even in the absence of confirmed data exposure, vendors can slow down the disclosure process. But the existence of a potential vulnerability and the actual exposure of patient data are two different things, which means they need to be handled very differently.

Vulnerabilities are found in software every day by security researchers, friendly hackers, customers, academics, journalists and hobbyists. In 2018, more than 10,000 vulnerabilities have been disclosed across the world. In practice, it is impossible to write software that is completely free of cybersecurity vulnerabilities.

When the system’s designer learns of these vulnerabilities, a risk-based assessment should determine how urgently a fix is needed. If an immediate fix is needed, a software update should be made available as soon as possible, and the system’s users should be made aware of the issue. Sharing these vulnerabilities educates the future iterations of the product and how a system can be hardened more effectively. Finding a vulnerability and fixing it doesn’t mean a company has done something wrong; it means they have functioning cybersecurity policies and practices.

Another concern medical device vendors may have is the ability for device end-users to distinguish between clinical compromise and cybersecurity vulnerability. One is not necessarily related to the other and it is important to distinguish cybersecurity vulnerability sharing from any impact on clinical effectiveness.

As organizations start to understand the difference between a vulnerability and an exploit, the stigma associated with disclosing vulnerabilities in healthcare software systems will wane. In fact, it already has! Years 2013 and 2014 each saw one medical device cybersecurity advisory reported to ICS-CERT, while 2015 saw six and the first ten months of 2018 saw 19. Some of the increase in disclosures could be attributed to the FDA’s Postmarket Cybersecurity guidance (December 2016), but at least a handful of vendors have chosen to disclose vulnerabilities, even when a researcher was not involved. Philips has been responsible for 21 percent of all ICS-CERT medical device cybersecurity advisories. This has been interpreted by my colleagues in the medical device cybersecurity space as an indicator of a mature cybersecurity practice within Philips, rather than negligent product development. Perhaps counterintuitively, by being communicative about their cybersecurity problems, Philips has come to be recognized as a leader in medical device cybersecurity.

All computer systems will be found to have vulnerabilities from time to time, and real money can be lost by the poor handling of a known vulnerability. Organizations are judged not by the existence of these vulnerabilities, but how well they manage their response. If your organization finds a cybersecurity vulnerability in a product, assess the risk, determine if it has been exploited by an attacker and release a fix. Finally, disclose the vulnerability to an organization like H-ISAC so that other manufacturers can learn from your experience. The security community and lives of patients improve when we share technical vulnerabilities.

By Vidya Murthy, Vice President of Operations at MedCrypt, a medical device cybersecurity company that helps medical device vendors ensure their products are compliant with the newly-released premarket FDA cybersecurity guidance.

1 https://www.riskbasedsecurity.com/2018/08/more-than-10000-vulnerabilities-disclosed-so-far-in-2018-over-3000-you-may-not-know-about/

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months