April 21, 2021
For the past 3 years, MedCrypt has released a white paper analyzing the changes in the ICS-CERT vulnerability disclosure data, the trends we see, and predictions for the future of medical device cybersecurity. Read on to find out what medical device manufacturers (MDMs) can learn from past vulnerability disclosures in 2021.
In December 2016, the Postmarket Management of Cybersecurity in Medical Devices guidance was released including recommendations to participate in information sharing- this was clearly an inflection point.
In the period before the FDA post-market guidance was released, there were 12 advisories and 37 vulnerabilities. In the period after the guidance there were 92 advisories and 232 vulnerabilities.
The average number of advisories reported per month had a 6.4-fold increase after the post-market guidance was issued. There is an average of 4.83 vulnerabilities being released per month, compared to 0.95 per month prior to December 2016. Despite not being mandated by law, the number of published vulnerabilities has increased since the release of the 2016 FDA Postmarket Guidance. This leads us to believe that MDMs view adhering to guidance as a market incentive.
Device manufacturers that include a vulnerability disclosure process provide the opportunity for researchers who discover a vulnerability to report it directly to the manufacturer. Disclosure processes typically include instructions for sending secure, encrypted messages. See the Medtronic Coordinated Disclosure Process for an example.
When medical device manufacturers share vulnerabilities, it is a positive indicator of cybersecurity risk management. Information sharing benefits the entire healthcare ecosystem.
Of the top 40 medical device vendors by market cap, 17 have a published vulnerability disclosure process. This is an increase from 13 vendors in 2019.
Researchers who report vulnerabilities also help promote a collaborative disclosure process. Of the 104 advisories assessed, 73 explicitly referenced a researcher.
Historically, researchers have been viewed as adversaries, but their attribution to 70% of the advisories assessed confirms their positive presence in the ecosystem. There is no mandate to report vulnerabilities through the Department of Homeland Security (DHS), but the ICS-CERT has served as mediator through the process of enabling researchers sharing what they’ve found. Therefore, it makes sense that the majority of disclosures reference researchers. It is therefore perhaps more impressive that MDMs , despite the absence of a legal mandate, continue to self-report vulnerabilities.
What causes medical device vulnerabilities? Before the FDA guidance, 43% of vulnerabilities had a user authentication root cause. After the guidance, user authentication still makes up 43% of the vulnerabilities.
This means the vulnerabilities that are most common are not highly sophisticated and customized. What makes it a hard problem to solve? Clinical care is rightfully the priority for developing a medical device. Perhaps this indicates that security is a secondary requirement.
Prior to the FDA postmarket guidance, the frequency of patching being referenced in an advisory was 48.6%. Since then, it is up to nearly 79%.
This is a positive change that helps offer steps to mitigate vulnerabilities immediately after an issue is identified. But can we patch fast enough to be safe enough?
How do we interpret the data from the ICS-CERT database? Here are our hypotheses and predictions for the future:
ICS-CERT and the FDA have given researchers a voice through vulnerability sharing that does more than just avoid negative headlines. The system helps drive product development and foster collaboration.
Want to hear a more comprehensive analysis? Read the full white paper and register for the free webinar on April 22nd.
Follow us on Twitter and LinkedIn
July 23, 2024
July 15, 2024
July 10, 2024
Get the latest healthcare cybersecurity news right in your inbox.
We'll never spam you or sell your information