While US FDA issues alerts for the most severe medical device cybersecurity vulnerabilities, the US Department of Homeland Security (DHS) has seen a spike in potential threats, which it has responded to by issuing advisories.
The growth could have multiple causes, but one likely factors if positive, according to government officials: the industry and security researchers are better coordinating efforts to identify vulnerabilities and improving disclosure policies.
When potential cybersecurity vulnerabilities are found on medical devices, US FDA and industry turn to DHS' National Cybersecurity and Communications Integration Center’s (NCCIC) for help coming up with solutions.
DHS says it expects the number of medical advisories to keep growing in the future as responsible coordinated disclosures become more common in the health-care sector.
According to DHS, the center has a dedicated team that collects, coordinates and provides vulnerability information across the industrial controls systems (ICS) and Information Technology (IT) community. They work with various researchers and companies to identify, validate, mitigate and disclose vulnerabilities to the industry sectors. The primary objective of the NCCIC is to help mitigate cybersecurity vulnerabilities to prevent potential exploits and attacks against critical infrastructures in the US, such as electricity, water and transportation.
The center has been tracking and issuing advisories on medical devices since 2013 but in the past few years there has been a significant increase in advisories, according to the department.
"From fiscal year 2013 – 2016, the NCCIC issued only seven medical advisories based on reported vulnerabilities," notes a DHS official. "In fiscal year 2017, the NCCIC observed a marked increase in vulnerability reporting from this sector. The [center] coordinated 30 vulnerabilities from the Health and Public Health Sector that lead to the issuance of 16 medical advisories."
DHS says the increased reporting of medical device cybersecurity vulnerabilities could be due to increased awareness in the industry and to the risk of such earlier-designed connected devices that originally not originally designed with security in mind.
Some devices addressed by the most recent advisories issued by NCCIC are Medtronic's N'Vision Clinician Programmer,GE Healthcare's MobileLink and Philips' Brilliance Computed Tomography (CT) System. According to DHS assessments, all the vulnerabilities can be exploited by malicious hackers with low skill level, and can cause damages from accessing private patient information to changing the operation of the device that could result in harm.
DHS lists who brought the cybersecurity vulnerability to its attention and scores the vulnerability. However, it declined to discuss specifics about how it coordinates with security researchers and vendors on coming up with solutions.
"As a practice and to promote voluntary reporting, DHS does not discuss specific details about our coordination with security researches and vendors," said the DHS official. "The FDA is a federal partner in helping to identify, address and mitigate vulnerabilities in medical devices. The NCCIC routinely collaborates with them to ensure we are providing actionable information to the Health and Public Health Sector and other sectors that could have physical or cyber interdependencies with medical devices."
According to DHS, the NCCIC typically releases alerts soon after a vulnerability or potential exploit is publicly identified. The department issues advisories with information about the nature of the security vulnerability in critical infrastructure devices; they typically include vendor-recommended mitigations.
"In fiscal year 2017, the NCCIC issued more than 270 vulnerability advisories [across industry sectors] and nearly 20 alerts," said a DHS official. "The NCCIC issued 16 medical vulnerability alerts. "
Last fiscal year, "NCCIC coordination with product vendors resulted in product fixes for 78 percent of the more than 800 reported vulnerabilities," added the official.
DHS says it expects the number of medical advisories to keep growing in the future as responsible coordinated disclosures become more common in the health-care sector. (Also see "J&J, Hacker Work Together To Fix Insulin Pump Vulnerability" - Medtech Insight, 12 Oct, 2016.)
FDA spokeswoman Angela Stark notes the agency has been working closely with NCCIC as they issue medical device advisories and alerts.
"The recent advisories are examples of medical device manufacturers proactively implementing the recommendations outlined in the FDA’s Final Guidance on Postmarket Management of Cybersecurity in Medical Devices," she said. "This includes determining whether a vulnerability presents a controlled or uncontrolled risk, and remediating and communicating about the mitigations in a timely manner."
Stark echoed DHS's optimism about increased disclosures in the future. As more companies implement the post-market cybersecurity guidance, FDA expects more coordinated vulnerability disclosures and the issue to become "routine business practice" for manufacturers, she stated.
"This proactive behavior demonstrates the collaborative manner in which vulnerabilities can—and should—be addressed in a way that best protects patients," said Stark. "The FDA generally communicates about specific medical device cybersecurity vulnerabilities when additional information beyond DHS or manufacturer communications is warranted to protect the public health and promote patient safety."
The most recent cybersecurity vulnerability to meet that threshold was for potential exploits of certain Abbott, formerly St. Jude, implantable cardioverter defibrillators (ICDs) and cardiac resynchronization therapy defibrillators (CRT-Ds). (Also see "Abbott Issues New Cybersecurity Patch For Cardiac Devices" - Medtech Insight, 18 Apr, 2018.)