Getty Images/iStockphoto

FDA Scoring Tool Update Adds Vulnerability Risk to Patient Safety

An update to the FDA Medical Device Development scoring tool takes into account how a medical device vulnerability would impact patient safety, improving transparent device security.

The FDA recently unveiled a new scoring system for assessing medical device vulnerabilities, an update from its previous system that was initially designed for commercial devices and didn’t account for patient safety, a move Elad Luz, head of research for CyberMDX, explained will better reflect the severity and characteristics of security flaws. 

Awareness around medical device security has grown rapidly in recent years, given the FDA’s efforts to bridge the gap between device manufacturers and providers, which can bolster patient safety. Since the FDA unveiled its cybersecurity guidance for medical devices in 2016, vendors reported 400 percent more vulnerabilities per quarter: a sign of maturing security risk assessments and growing compliance.  

However, many healthcare providers continue to struggle with prioritizing patch management and continue to rely on outdated, legacy platforms. A May 2019 Forescout report showed the majority of medical devices operate on legacy platforms. Given recent hacking campaigns actively scanning for known vulnerabilities, the new scoring tool will help providers move the needle on these vulnerabilities. 

The FDA Medical Device Development Tools (MDDT) program released its initial guidance in 2017 and is designed to qualify tools medical device sponsors can leverage for developing and evaluating medical devices within a specified context of use. 

Those elements include the specific output or measure or the phases of medical device development for which the tool measurement can be used, among others. The program is designed to promote innovation of medical device development and regulatory science to better support research and patient care delivery. 

The MDDT has three categories: clinical outcome assessment that measures how a patient feels or functions; a biomarker test, such as a lab test or instrument that measures an indicator of biologic processes or pharmacologic response; and a nonclinical assessment model that measures or predicts device function or performance in a living organism. 

“The previous rubric was made for traditional IT devices like your work computer. While a hacker could certainly do a lot of damage if they hacked a company’s computer, likely there was no direct threat to someone’s life by hacking the network or a particular device,” said Luz. 

“When you hack a medical device, you could directly threaten a patient’s life and this reality was not ideally reflected in the previous scoring model,” he added.  

For example, CyberMDX disclosed the ICSMA-19-190-01 vulnerability in July 2019 that was only rated medium severity, or 5.3 with the traditional CVSS, despite the flaw enabling attackers to remotely mute alarms and manipulate gas combinations on certain anesthesia devices. 

The previous scoring tool did not account for certain actions, including malware injection. Luz stressed that the ability to manipulate an anesthesia machine could directly impact patient safety. The new scoring model will take those types of actions into account. 

Under the new scoring model, for example, the ICSMA-19-190-01 vulnerability would be rated a 9.1, or a critical flaw, he explained. Thus, the new scoring model will better reflect the severity of flaws and improve risk assessment processes for providers. 

To Luz, the scoring rubric has also improved in consistency. Previously, if different security experts were asked to evaluate the same vulnerability with the old guidelines, every expert would present difference scores. But the updated tool will ensure more consistent results. 

“These guidelines are in the form of simple multiple-choice questions, which enables different experts to reach similar conclusions and therefore more consistent results,” said Luz. “Traditional CVSS scores that are published are based on the ‘base metrics group’.” 

“There is another metric group called the ‘environmental metrics group’ enabling organizations to evaluate the vulnerability based on the environment they have in their network: the way they deployed the device, configured it, and what they use it for, he added. “The environmental metrics already exist but are less commonly used by organizations.” 

But now nearly half of the new rubric is dedicated to these metrics, which Luz explained the weight the FDA and MITRE place on environmental metrics. 

Improving Medical Device Posture

Recent Forescout data estimates that each health system has an average of 20,000 devices on their network, while previous reports showed most providers are unaware of just how many connected devices are operating on the enterprise network at any given moment. 

Moving the needle on these crucial vulnerabilities will be crucial given the rapid pace of malicious deployments and attack sophistication. Of note, JSOF researchers disclosed a group of 19 critical flaws known as Ripple20 over the summer, which primarily impact medical devices and IoT. 

To Luz, a more rigorous scoring system will help healthcare delivery organizations more accurately prioritize vulnerability assessments and tackle potentially dangerous security flaws “in more appropriate timeframes.” 

“From the moment a healthcare provider decides to connect their medical devices to the network, they must do the maximum possible to secure it,” said Luz. “Previous vulnerabilities found by our team at CyberMDX alone have disclosed security issues that could impact the patient's safety via remote manipulation of infusion rate of pumps, manipulation of vital signs on patient monitoring systems, manipulation of gas calibration and alarm of anesthesia devices and more.” 

 “I’m not a medical expert so I wouldn’t want to speculate about what any specific vulnerability could do medically, but I think it’s fair to say that any external manipulation of a medical device needs to be protected against,” he added.  

Luz reminded entities that a patient death was caused in Germany after her ambulance was diverted from a hospital impacted by a ransomware attack. If simply shutting down access to patient records could spur a patient death, “imagine if they could directly impact an infusion pump and change dosages or withhold medications. It’s definitely something that needs to be avoided at all costs.” 

Reducing Device Vulnerabilities

The new scoring model better reflects the severity and characteristics of vulnerabilities. But for Luz, the changes may fuel greater conversations around the connection of medical device security and patient safety. Highlighting the severity of these risks may help providers to move quickly on addressing these issues. 

Providers can learn much from the rubric, as it comes in the form of multiple choice questions they must answer about their organization. By reviewing these questions, Luz explained that it should force providers to think about the greater risks and consider the different aspects around the critical issue – thus reducing the number of providers overlooking these problems. 

“The environmental metric group can be used by providers as a tool to not only assess, but also think of generic ways in which they can mitigate the issue or at least reduce its risk and impact,” said Luz. 

Despite the tool’s benefits, a number of challenges remain when it comes to medical devices and patch management. Luz noted that some vendors frequently decide not to release vulnerability patches, at all, or may even require payment from providers in the form of services to perform the task. 

Further, even when a patch is available, some may not reach the end user for a number of years. And he explained that when applied to medical devices, it typically requires staff in close proximity to the devices within the limited maintenance timeframe, further exacerbating patch management challenges.  

“Because patching medical devices is so challenging it is almost never the first step, and healthcare delivery organizations shouldn’t wait for a patch as usually there are a number of smaller steps they can take to improve the security of devices even without an official patch,” said Luz. “For example, changing the device configuration to disable specific vulnerable features, enforcing network policies, tightening the network segmentation, or other changes in the device's environment.” 

“The work of vulnerability assessment discussed here is challenging, however hospitals face problems even earlier in the process - when you have a facility with hundreds of different unmanaged models of medical devices running different versions, you'll first have to prepare a detailed list of them along with their specifications, then start crossing it with publicly known ever growing list of vulnerabilities and only then start your assessment and mitigation for each one of them,” he added. 

At the end of the day, visibility is the key to vulnerability assessment and mitigating these risks. Luz stressed that It’s impossible for entities to secure something they don’t know exists. As a result, organizations must invest in tools to provide that needed visibility across the enterprise network to ensure security protocols are properly applied.

Next Steps

Dig Deeper on Cybersecurity strategies