At MediTechSafe, we are focused on building a robust operating solution for managing security of the medical devices. As described in a recently published MediTechSafe whitepaper, this needs a holistic approach. While operationalizing the changes required to secure the devices is a very important preventive approach, knowing where the sources of vulnerabilities is just as important to bring visibility into the enterprise risk status and prioritizing the efforts to remediate it efficiently. In a typical hospital, there are thousands of medical devices to be managed from hundreds of different manufacturers. Hospitals and other healthcare delivery organizations (HDOs) face a daunting task to find information on which devices are vulnerable and how to remediate them.
MediTechSafe Security Research Team (SRT) has been on a mission to centralize medical device vulnerability information, analyze them and provide actionable intelligence to simplify the challenges for those who are responsible for making sure the medical devices are secure. As part of the process we have uncovered several interesting facts on how manufacturers are managing the important task of vulnerability disclosure. Some of our findings are detailed in this blog post.
Wannacry was a wakeup call to manufacturers
There are several articles written about how the recent ransomware attacks have led to renewed efforts to secure healthcare systems in general and medical devices in particular. Both medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) are waking up to the fact that there is more to be done. Industry organizations and federal agencies are stepping up their efforts too.
During our research, we have found most of the MDM's do not have a structured approach to vulnerability disclosure. In fact, many of them have only recently created a page on their website focused on cybersecurity with the only purpose of releasing a statement regarding impact of Wannacry / Petya ransomware. Hopefully those MDMs can expand on it and have ongoing advisories published.
Not all manufacturers are transparent with their approach towards cybersecurity alerts
We have found that while some manufacturers have been very forthcoming with disclosures and the level of details they provide on their website, most do not have the level of transparency required to increase awareness among the user community. The efforts from NH-ISAC, FDA and NIST are paving way for more disclosures being published through ICS-CERT feeds. We found that Siemens is probably the most mature in this aspect with a detailed advisory page covering all of their products as well as a twitter feed focused on security alerts. This can be seen from the disproportionally high number of Siemens device alerts in our database. Several other manufacturers like BD / Carefusion have detailed content published on their site while most others either don’t publish or are just waking up to the reality.
There are enough vulnerabilities available in the medical devices for us to be worried about
Our alerts database contains vulnerabilities that have been identified and published on 100s of medical devices. Just in 2017, we found 40+ different alerts with a good number of them related to recent ransomware attacks. Among those alerts, 33 of them are related to at least one vulnerability with a CVSS score of 9 or above indicating high criticality. Many of these are due to the vulnerabilities in Windows operating system used by a good number of the devices.
This should be concerning to all of us, if we are managing medical devices or be a patient at the receiving end of the benefits offered by these devices.
Patch information is not readily available to the users
Our analysis has revealed that many of the advisories do not include patch information, consequently many users cannot take immediate action to protect the devices. Of the recent alerts we analyzed, about 75% of them include some level of patch information; users however still have to work with manufacturers to get specific instructions. Rest of the 25% advisories do not contain a patch information and sometimes those devices impacted by the advisories cannot be patched.
Third party operating systems are the leading source of vulnerabilities
Among the advisories that we reviewed, 69% of them were related to the underlying operating system; predominantly Microsoft Windows based OS versions. About 20% of them had custom application related vulnerabilities while rest of them were related to hardware or a mix of multiple areas. Out of the different OS type vulnerabilities identified, 72% of them were related to different versions of Microsoft Windows while 26% were related to proprietary software.
We will continue to share more insights with our user community from our on-going analysis. This should provide further visibility into medical device security landscape. At MediTechSafe, we use these information and underlying specifics to provide actionable intelligence to healthcare providers on ways to mitigate the risk posed by these vulnerabilities in their environment.
MediTechSafe has developed a proprietary solution to help hospitals manage their cybersecurity, medical devices and clinical networks related risks. If you are a healthcare provider (or a biomed services provider) interested in learning more about MediTechSafe’s solution, you could reach us at firstname.lastname@example.org.