What Medical Device Manufacturers Should Learn in 2021

Topics:
Cryptography
This is some text inside of a div block.
Tools & processes
This is some text inside of a div block.
All authors
All authors

April 21, 2021

What Medical Device Manufacturers Should Learn in 2021

For the past 3 years, MedCrypt has released a white paper analyzing the changes in the ICS-CERT vulnerability disclosure data, the trends we see, and predictions for the future of medical device cybersecurity. Read on to find out what medical device manufacturers (MDMs) can learn from past vulnerability disclosures in 2021.

Advisories have Increased

In December 2016, the Postmarket Management of Cybersecurity in Medical Devices guidance was released including recommendations to participate in information sharing- this was clearly an inflection point.

In the period before the FDA post-market guidance was released, there were 12 advisories and 37 vulnerabilities. In the period after the guidance there were 92 advisories and 232 vulnerabilities.

The average number of advisories reported per month had a 6.4-fold increase after the post-market guidance was issued. There is an average of 4.83 vulnerabilities being released per month, compared to 0.95 per month prior to December 2016. Despite not being mandated by law, the number of published vulnerabilities has increased since the release of the 2016 FDA Postmarket Guidance. This leads us to believe that MDMs view adhering to guidance as a market incentive.

Vulnerability Disclosure Processes

What is a vulnerability disclosure process?

Device manufacturers that include a vulnerability disclosure process provide the opportunity for researchers who discover a vulnerability to report it directly to the manufacturer. Disclosure processes typically include instructions for sending secure, encrypted messages. See the Medtronic Coordinated Disclosure Process for an example.

Who publishes a vulnerability disclosure process?

When medical device manufacturers share vulnerabilities, it is a positive indicator of cybersecurity risk management. Information sharing benefits the entire healthcare ecosystem.

Of the top 40 medical device vendors by market cap, 17 have a published vulnerability disclosure process. This is an increase from 13 vendors in 2019.

The Role of Researchers

Researchers who report vulnerabilities also help promote a collaborative disclosure process. Of the 104 advisories assessed, 73 explicitly referenced a researcher.

Historically, researchers have been viewed as adversaries, but their attribution to 70% of the advisories assessed confirms their positive presence in the ecosystem. There is no mandate to report vulnerabilities through the Department of Homeland Security (DHS), but the ICS-CERT has served as mediator through the process of enabling researchers sharing what they’ve found. Therefore, it makes sense that the majority of disclosures reference researchers. It is therefore perhaps more impressive that MDMs , despite the absence of a legal mandate, continue to self-report vulnerabilities.

What are the root causes of vulnerabilities?

User authentication is a common problem

What causes medical device vulnerabilities? Before the FDA guidance, 43% of vulnerabilities had a user authentication root cause. After the guidance, user authentication still makes up 43% of the vulnerabilities.

This means the vulnerabilities that are most common are not highly sophisticated and customized. What makes it a hard problem to solve? Clinical care is rightfully the priority for developing a medical device. Perhaps this indicates that security is a secondary requirement.

Mitigating Vulnerability Risks

Patching as Mitigation

Prior to the FDA postmarket guidance, the frequency of patching being referenced in an advisory was 48.6%. Since then, it is up to nearly 79%.

This is a positive change that helps offer steps to mitigate vulnerabilities immediately after an issue is identified. But can we patch fast enough to be safe enough?

Interpreting the Findings

How do we interpret the data from the ICS-CERT database? Here are our hypotheses and predictions for the future:

ICS-CERT and the FDA have given researchers a voice through vulnerability sharing that does more than just avoid negative headlines. The system helps drive product development and foster collaboration.

Want to hear a more comprehensive analysis? Read the full white paper and register for the free webinar on April 22nd.

Stay updated on all things medical device cybersecurity

Follow us on Twitter and LinkedIn

Related articles

Understanding the Impact of the Pause in NVD Vulnerability Analysis and Exploring New Solutions
This is some text inside of a div block.

Understanding the Impact of the Pause in NVD Vulnerability Analysis and Exploring New Solutions

Tools & processes
This is some text inside of a div block.
Vulnerability management
This is some text inside of a div block.
MedISAO
MedISAO

May 29, 2024

Medical Device Cybersecurity - 2023 Learnings and 2024 Expectations
This is some text inside of a div block.

Medical Device Cybersecurity - 2023 Learnings and 2024 Expectations

All topics
This is some text inside of a div block.
Axel Wirth
Axel Wirth

December 18, 2023

Subscribe to Medcrypt news

Get the latest healthcare cybersecurity news right in your inbox.

We'll never spam you or sell your information

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.