Medical devices: Exploit waiting to happen?

Vulnerability disclosures, patches, threats and new attack vectors; healthcare organizations have an ever-growing responsibility to ensure patient safety, information protection and 24x7 uptime responsibilities for critical systems. Couple that with regulatory compliance requirements, hundreds (if not thousands) of medical device manufacturers and a talent shortage in the information security industry and you have what can appear to be an insurmountable charge to ensure the organization has a comprehensive security program.

We have worked with Health-ISAC and Jeremy Walczak from Catholic Health System - Buffalo to bring some of the challenges and solutions on how healthcare organizations manage the litany of struggles that face them.

Q: With new exploits being disclosed every day from various medical device manufacturers, how do you handle your vulnerability management program?

A: We handle it by creating transparency and awareness. Step one in a robust vulnerability management program is identifying the software and configuration issues in your environment that create vulnerabilities. A wise man once said, “Knowing is half the battle.” With this knowledge you can then begin to take steps to assign ownership, prioritize risk, and identify remediation or containment strategies. Not all vulnerabilities can be patched, sometimes the best you can do is contain and manage the risk.

Q: Has there been any regulatory progress in holding manufacturers responsible for disclosure?

A: There really has not been sufficient progress in terms of “holding manufacturers responsible.” Nothing with any teeth, and certainly nowhere near the levels of accountability that have been established by the OCR for regulated entities. I appreciate where the** FDA has been progressing with the** Cybersecurity Bill of Materials, and closer alignment to NIST CSF, but the device industry really needs to be held to a high standard. Medical devices running on unsupported operating systems is not acceptable…in any industry; but especially if you are responsible for providing potentially lifesaving instrumentation. Vulnerability management is much less of a problem when software is kept current. It comes down to a general maintenance activity.

Q: On the topic of regulatory progress, have there been any improvements to the timeliness of approval of patches and processes to upgrade to systems?

A: Based on what I have experienced the answer is “No.”

Q: Do you feel you have a handle on the influx of vulnerability and threat information coming into your organization daily? What techniques have you employed to help manage and workflow the information?

A: There can never be enough sources of information. The key for us has been our ability to parse it, separate the good from the bad (reliable and unreliable), and turn it into something actionable. We’ve recently made some big strides in key areas of our threat intel program by partnering with Perch. The flexibility of their platform, responsiveness of their SOC, and rate of adoption by our engineers and analysts have been invaluable when it comes to a cost-effective, timely identification and response to near real-time events.

Q: How do you maintain visibility on critical networks and the endless number of IoT devices that connect to your network daily?

A: Through the use of well-designed and intelligently placed monitoring capabilities that take advantage of our purpose-built network, plus automation, and working with a professional SOC (obviously, right?). No IoT device is created equal, therefore we employ a range of security controls and expectations that satisfy our risk-based approach. A good monitoring tool (we use Perch), will take in data feeds from anywhere and everywhere, and quickly isolate and escalate questionable activity based on real-time intel feeds.

Q: Do you feel like you have adequate access to threat intelligence to help you address IoT and medical device threats?

A: Yes, and we do evaluate new feeds as well. H-ISAC is a great source and the more we can integrate with existing threat intel platforms the better. From a threat intelligence perspective, our value prop is interpreting the data available externally, correlating to the known vulnerabilities in our environment, and ensuring adequate plans are in place to manage that risk.

Q: The million-dollar question – where do you see healthcare information security practices growing in the next few years?

A: My guess is we’ll continue to see tighter alignment between healthcare business practices and information security (think a B2C consumer-driven model). A good information security program will put forth a strategy that is transparent in use, readily understood to support corporate strategy, and help drive trusted adoption or expansion of customer friendly experiences. Healthcare will become more and more easy to access and easy to use. Information security will need to be ahead of that evolution in order to prevent serious mishaps.

Perch is proud to have relationships with amazing ISACs and ISAOs like the Health-ISAC. The value they bring by protecting their communities is immeasurable. We also give our deepest appreciation to Jeremy Walczak from Catholic Health System - Buffalo for sharing his knowledge in this blog post for the benefit of the community.

We’d love to hear from you! If you would like to share additional information for this blog post or a new one, please contact us at hello@perchsecurity.com.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: How can I help?