Sponsored by Asimily
By Shankar Somasundaram
As cybersecurity problems grow, and new vulnerabilities are published daily, timely and efficient patching has become a key problem for health care providers. While in the world of IT, patching is important to protect against security threats, in the world of medical devices, patching poses numerous challenges:
- Patching is challenging with the heterogeneity of devices and manufacturers.
- Many vulnerabilities don’t even have an approved patch since manufacturers cannot always keep up with the volume of vulnerabilities released by the third-party vendors.
With delayed patch release by manufacturers and slow deployment by providers, medical device’s security posture is less than ideal. To address the above issues, some providers resort to security measures outside of the device. Examples include firewalls or anomaly detection solutions that monitor and block any issues at the network. While monitoring is an important tool, past cyberattacks have shown us that many might bypass even the best monitoring tools.
To address the problem within the constraints posed in the health care world, providers have to take a different approach.
The first step in solving this problem is to understand that medical devices, unlike IT systems, are configured to perform only a specific set of actions on the network. What this means is that, unlike IT systems where every vulnerability poses an entry point for an attacker, with medical devices only a small set of vulnerabilities could potentially be exploited. This automatically reduces the number of vulnerabilities that the providers must address. Example: Spectre allows hackers to steal private and confidential data and so is seen as a critical vulnerability. But to exploit Spectre remotely, a device would need to use specific versions of specific web browsers. So, unless the device is using an affected browser version, the device will not be at risk due to the vulnerability.
For the vulnerabilities which do pose a risk, the second step is to understand the level of risk the vulnerability poses in the network. Every vulnerability poses a different level of threat to availability, confidentiality and integrity of the device. Therefore, mapping these different vectors to the device risks can help understand how critical the vulnerability is to the device.
Going back to the above example: Vulnerabilities related to Spectre affect confidentiality of data on the device. For example: if there are 2 devices using the affected version of a browser, the device transmitting private data or connecting to another device which has private data would have a much higher risk than a second device which might not be transmitting private data or might not be connected to a device with private data. Although both have the Spectre vulnerability, their risk levels are quite different.
As a final and third step, for the remaining list of high risk vulnerabilities, understanding the ways in which the vulnerabilities can be exploited allows the provider to mitigate them either by hardening the device or by implementing additional focused security controls on the network.
The net outcome would be a shorter list of vulnerabilities that need to be addressed as a priority allowing providers to focus their scarce resources where it is most beneficial and, through the mitigation process, minimize their overall risk posture.
Asimily through its detailed patch and prioritization module provides such a capability in an automated manner by combining network discovery, vulnerability research, device context and other parameters. Providers can now focus only on what matters in their environment to minimize their risk while continuing to focus on their job of providing high-quality patient care.
Shankar Somasundaram is the CEO of Asimily (www.asimily.com). He has been involved with medical device cyber-security and cyber-risk for many years having contributed to the FDA draft guidelines as well as the recent book by AAMI on medical device cyber-security. He previously ran the connected device business at Symantec with a focus on health care and held leadership positions at other companies before that.