Getty Images
How Cybersecurity Vulnerability Disclosures Help the Healthcare Community
Cybersecurity vulnerability disclosures are essential to spreading awareness, increasing transparency, and encouraging collaboration in the healthcare community.
As the healthcare community continues to grapple with cybersecurity challenges, more device manufacturers, independent researchers, and software companies have been prioritizing cybersecurity vulnerability disclosures as a way to mitigate risk and increase transparency.
Vulnerability disclosures provide organizations with the necessary details and tools to effectively reduce security risks and, hopefully, get one step ahead of malicious hackers.
HealthITSecurity analyzes the recent uptick in vulnerability disclosures and sheds light on how vulnerabilities are discovered and disclosed through the Common Vulnerabilities and Exposures (CVE) Program.
In addition, this article will highlight how medical device company Becton, Dickinson, and Company (BD) runs its disclosure program, and discuss what the healthcare community can do to improve its cybersecurity strategies through vulnerability management.
Exploring the Recent Uptick in Vulnerability Disclosures
In a recent report, Claroty observed a significant uptick in healthcare IoT, IT, industrial control system (ICS), and medical device vulnerability disclosures. Researchers found that ICS vulnerability disclosures grew by 110 percent over the last four years, with a 25 percent increase in the latter half of 2021 alone.
More than 30 percent of the disclosed vulnerabilities impacted IoT, IT, and medical device assets, highlighting the need for proper vulnerability management to reduce exposure.
This uptick in vulnerability disclosures does not necessarily mean that the actual number of vulnerabilities has been increasing. Rather, the data may suggest that more researchers and organizations are prioritizing vulnerability discovery and disclosure to ensure that they find the vulnerabilities before threat actors can.
With patient safety on the line, the healthcare community is right to prioritize strategies that will decrease the risks of a cyberattack. Since unpatched systems and devices are an appealing network entry point for hackers, securing those systems and devices is imperative to avoiding disruptions in care delivery.
Where to Find the Latest Vulnerability Disclosure Information
Across all sectors, the CVE List is the place to go for information on the latest cybersecurity vulnerabilities. The CVE Program is run by MITRE Corporation and sponsored by the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
“The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities,” the program’s website states.
Since 1999, the program has maintained the CVE List, which consists of hundreds of CVE Records that contain brief descriptions of each security vulnerability.
The vulnerabilities cover a wide range of security flaws, including those found in medical devices. As healthcare becomes increasingly interconnected and continues to go through widespread digital transformation efforts, addressing security vulnerabilities across the organization is essential.
When an individual or an organization discovers a new vulnerability, they can report it to a CVE Numbering Authority (CNA). The CNA can then request a CVE Identifier (CVE ID), which are unique, alphanumeric identifiers that are linked to a specific vulnerability.
Often, CNAs reserve a CVE ID during the early stages of vulnerability coordination and management. Once they have determined the specifics of the vulnerability, the CNAs can submit and publish the vulnerability to the CVE List. Impacted organizations can use vulnerability disclosures to inform mitigation efforts.
CVE IDs are only assigned to security flaws that meet a specific set of criteria, Red Hat explained. The flaws must be independently fixable, meaning that they can be fixed independently of any other bugs.
In addition, the vulnerability vendor whose product is impacted must acknowledge that the bug has a negative security impact. Alternatively, the report must share a detailed vulnerability report that demonstrates how the bug violates the security of the affected system. Lastly, each unique flaw must receive its own CVE.
“In cases of shared libraries, protocols or standards, the flaw gets a single CVE only if there’s no way to use the shared code without being vulnerable,” Red Hat continued. “Otherwise, each affected codebase or product gets a unique CVE.”
At the time of publication, there were 237 CNAs participating in the CVE Program. The participants range from software vendors, coordination centers, bug bounty service providers, research groups, and open-source projects.
To participate in the program, prospective CNAs must have a public vulnerability disclosure policy in place, have a public source for new vulnerability disclosures, and agree to the CVE Terms of Use.
In addition to the CVE Program, many individual organizations have their own coordinated vulnerability disclosure (CVD) processes. For example, CISA operates a CVD program that covers medical devices, IoT, industrial control systems (ICS), and traditional IT vulnerabilities.
Under the CVE Program, CISA is also a Root CNA for industrial control systems and medical devices, which involves the agency recruiting current and new ICS and medical device vendors to become CNAs, its website explains.
Separate from the CVE Program, the US National Vulnerability Database (NVD), which is run by the National Institute of Standards and Technology (NIST), also functions to spread the word about new vulnerabilities. The NVD gets information directly from the CVE List and builds upon that information to provide additional vulnerability details.
Additionally, the Common Vulnerability Scoring System (CVSS) is used to score the severity of software vulnerabilities identified on the CVE List. The CVSS standard is run by the Forum of Incident Response and Security Teams (FIRST). NVD typically provides severity scores for CVE Records.
How BD Runs Its Vulnerability Disclosure Program
In June 2021, BD became the first medical technology company to be authorized as a CNA. As a CNA, BD is authorized to assign CVE IDs and use the Common Weakness Enumeration (CWE) system and the CVSS to communicate vulnerability severity.
"Being named a CVE Numbering Authority shows trust and confidence in BD cybersecurity practices and our ability to manage reported vulnerabilities," Rob Suárez, chief information security officer of BD, said at the time.
"This designation aligns with our commitment to cybersecurity maturity and making timely information about vulnerabilities in BD products available to customers worldwide."
For Nastassia Tamari, director of information security operations at BD, this designation worked in harmony with BD’s existing coordinated vulnerability disclosure efforts.
When it comes to securing medical devices, healthcare organizations face the challenge of maintaining hundreds of devices on their networks, and keeping them all secure.
“Transparency and collaboration are always essential, because customers can't protect what they don't know,” Tamari recently told HealthITSecurity.
BD follows a fairly straightforward process from discovery to disclosure. Once BD discovers a vulnerability or receives vulnerability reports from researchers or third-party vendors, the next step is analysis. The company partners with the person or entity that reported the vulnerability to confirm it, and then follows a vulnerability management plan to determine the scope and severity.
Next, BD reports the vulnerability to the US Food and Drug Administration (FDA) and CISA. BD also follows the FDA’s Postmarket Management of Cybersecurity in Medical Devices guidance and works with CISA to develop coordinated vulnerability disclosure bulletins to appropriately communicate the vulnerability to its customers.
Lastly, BD and CISA publicly disclose the vulnerability on their respective websites in coordinated fashion and BD also shares the vulnerability with Information Sharing Analysis Organizations (ISAOs) such as the Health Information Sharing and Analysis Center (H-ISAC).
“Software ages just like the human body, and we are always on the lookout for new vulnerabilities,” Tamari continued.
In addition to prioritizing vulnerability disclosures on the manufacturer side, the healthcare organizations that use these devices and software also have an obligation to maintain awareness of the latest vulnerabilities and prioritize patch management.
Improving Patch Management, Vulnerability Awareness in Healthcare
Effectively managing the risks associated with cybersecurity vulnerabilities is a shared responsibility among manufacturers, developers, healthcare organizations, and government agencies.
For example, while it is crucial that device manufacturers incorporate security by design and work with researchers to identify and warn users of security risks, it is also up to healthcare organizations in many cases to act on those disclosures and patch and update software and devices.
Healthcare organizations should prioritize employing a comprehensive patch management strategy and vulnerability management program.
In April, the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) released final guidance regarding enterprise patch management to help organizations prevent vulnerabilities and exploitation within their IT systems.
NCCoE directed its guidance toward chief information officers, cybersecurity directors and managers, chief information security officers (CISOs), and anyone else who might be responsible for managing software risks.
“What has made enterprise patch management tougher recently is how dynamic and dispersed computing assets are, as well as the sheer number of installed software components to patch. In addition, patch management processes and technology take different forms depending on the type of assets (e.g., OT, IoT, mobile, cloud, traditional IT, virtual machines, containers),” NCCoE noted.
“The result is that many organizations are unable to keep up with patching. Patching often becomes primarily reactive (i.e., quickly deploy a patch when a severe vulnerability is being widely exploited) versus proactive (i.e., quickly deploy patches to correct many vulnerabilities before exploitation is likely to occur).”
Patching immediately is ideal, but NCCoE acknowledged that immediate patching can be unrealistic in certain situations. Organizations should keep an asset inventory and learn how new vulnerabilities might affect their most critical assets in order to properly assess risk.
Before deploying a patch, NCCoE said that organizations should schedule the deployment, test the patch, and validate it via automation. After deploying, IT teams should monitor the deployed patches, the publication explained.
Organizations must not only maintain a reliable patch management process but also know how to communicate cyber risks to other key stakeholders.
When it comes to medical devices, the process of disclosing vulnerabilities is only one of many steps on the long journey to reducing cybersecurity risks.
Communicating those medical device vulnerabilities is especially delicate. It is crucial to achieve the right balance of communicating risk effectively without simultaneously dissuading users from utilizing life-saving technology. Thankfully, industry groups and federal entities have stepped up to provide guidance.
For example, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) released its “MedTech Vulnerability Communications Toolkit” to help stakeholders navigate the process of informing patients of medical device security risks.
The guidance stemmed from the FDA’s best practices for communicating medical device vulnerabilities to patients and caregivers.
In addition, HSCC’s Joint Security Plan (JSP), first issued in 2019, provided a product lifecycle reference guide for medical device manufacturers to use when developing, deploying, and maintaining secure products.
Regardless of the method, effectively managing cybersecurity vulnerabilities is crucial to maintaining patient safety and preventing cyberattacks.