Nastassia Tamari, director of BD information security operations
According to the National Vulnerability Database, 18,353 vulnerabilities were reported in 2020. It is almost three times the volume of vulnerabilities reported five years ago and higher than any year in the previous two decades. Given the increase in connected devices, this increase is not entirely unexpected. If so, shouldn’t we see more vulnerability disclosures related to medical devices?
The Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) publishes announcements about vulnerabilities in industrial control systems. Each counseling is provided with an identification number, beginning with the letters ICSA or, for vulnerabilities related to the medical team, ICSMA. This helps the healthcare industry easily identify CISA warnings that apply to medical devices and also sheds light on how few medical device manufacturers have published coordinated disclosures of vulnerabilities with CISA over the past year. While there are thousands of medical device manufacturers in the U.S., only eleven companies reported ICSMA vulnerabilities to the agency in 2020, according to the agency’s ICS-CERT advisors list.
As manufacturers of medical devices, we play an essential role in protecting healthcare infrastructure around the world. To ensure that our products are used safely, we need to be proactive in sharing information about the latest emerging threats, new vulnerabilities in our technologies, and what our stakeholders can do to protect themselves. It is time to make 2021 the year in which we move health, as an industry, towards the maturity of cybersecurity. We can begin by embracing the following truths:
Defensive strategies are not enough.
Health care is the main target of cybercriminals. We design medical devices to be safe and implement reasonable administrative, technical and physical safeguards to protect them from cybersecurity incidents and breaches of privacy. However, defensive tactics are not enough when cybercriminals work 24 hours a day, 365 days a year to exploit vulnerable systems. With systems and threats constantly evolving, no system can be 100% protected against any vulnerability. Therefore, we increase defensive strategies with resistance measures.
Resistance is about answering the question “How quickly can you recover from an attack?”, Which is as important as combining defensive and offensive strategies. A strong defensive posture can help prevent cyberattacks. Resistance measures, such as enabling full system backups, assume that they will be attacked and will try to limit their impact. This requires continuous two-way communication between healthcare providers and medical device manufacturers, because each has an important role to play in keeping medical device technology operational and safe.
Talking about cybersecurity vulnerabilities should not be taboo.
Healthcare providers cannot protect themselves against vulnerabilities they are unaware of. Therefore, we must remove the stigma of talking about vulnerabilities. A recent example is the Ryuk ransomware (R-EE – Y OO K), which affected dozens of US hospitals in late 2020. Although fishing attacks were the most common entry point, cybercriminals they also used third-party software vulnerabilities to deny access to the device or its data. Even when hospitals have alternative solutions, such as restoring backup systems and using paper records, disruption can severely affect patient care. As manufacturers of medical devices, we must all be transparent about the vulnerabilities that affect our products or third-party components that are used in our products. This allows customers to apply patches in a timely manner and also allows them to apply compensatory controls and mitigations to reduce risk.
It’s about doing the right thing for clients and patients.
Disclosure of the vulnerability is essential, not only because it demonstrates compliance with the U.S. Food and Drug Administration’s (FDA) medical devices’ cybersecurity after-sales guidance and industry best practices. indicate in the joint plan of health security and medical devices of the medical sector and the health sector. but it also allows customers to keep their systems secure and up to date. In cases where a patch is being evaluated, it provides information to the customer about the compensation of controls and mitigations that may reduce the risk. It’s about going beyond compliance and doing what’s right for clients and their patients, and ultimately protecting what society values most. To achieve this, medical device manufacturers must inform customers about coordinated vulnerability disclosure processes.
In health, there is a patient at the end of everything we do. That’s why the stakes are so high. It is time to recognize that defensive strategies are not enough and that openly talking about vulnerabilities in our technologies allows customers to strengthen their defenses against cybersecurity and resilience. Welcoming these truths and enabling permanent and transparent communication between medical device manufacturers and healthcare providers serves the best interests of patients and demonstrates the industry’s commitment to the maturity of cybersecurity.
Nastassia Tamari is the Director of Information Security Operations at BD, a global medical technology company that is advancing in the world of healthcare by improving medical discovery, diagnosis and care delivery. Nastassia is responsible for directing information security operations at BD, including incident response, vulnerability management, threat response, privileged threats, and monitoring and detection equipment in companies, products, and systems. manufacturing for the global BD environment.