As part of the “Post-Market Management of Cybersecurity in Medical Devices” written by the FDA, medical device vendors were encouraged to participate in a “threat sharing” program, where vendors report cyber vulnerabilities they’ve encountered. The findings are meant to help organizations learn more about the risks connected medical devices introduce to the health care system by providing information to:
- Minimize cybersecurity risk
- Prevent vendor products from having the same or similar vulnerabilities
From 2013 to August 1, 2018, 122 cybersecurity vulnerabilities have been tracked. As it turns out, many of the vulnerabilities have similarities. According to the results, 66% of reported advisories were caused by two issues: code defects and user authentication.
Defining the Vulnerabilities
What is a Code Defect?
Code defects are described as imperfect implementations of otherwise secure software designs. With proper risk assessment, many code defects can be discovered during the verification and validation process. Though code defects are a notable problem — ranking number two in the study— it’s a distant second from user authentication issues. Code defects account for roughly 25% of all reported issues.
What are User Authentication Issues?
Vulnerabilities attributed to user authentication accounted for 42.3% of the vulnerabilities in the study, making it incredibly important to focus on within the health care sector. A common example of user authentication issues could be “hard-coded” user credentials, such as a password or cryptographic key, used across devices. Failure to require secure user authentication for critical functions can leave devices susceptible to attack.
Reported Vulnerabilities are Rising
Though this study is an essential step toward understanding vulnerabilities, it’s only the tip of the iceberg.
The stigma surrounding cybersecurity vulnerabilities has caused vendors to limit the information they provide, and only disclose it when absolutely necessary. For this reason, only a small segment of vendors submitted information to the aforementioned study.
Additionally, after the release of “Post-Market Management of Cybersecurity in Medical Devices”, disclosed vulnerabilities increased 5.5 times. Experts are considering whether there was actually an increase in vulnerabilities, or if heightened awareness impacted the reports.
The estimated number of connected medical devices is set to grow as well. According to the IBM Institute for Business Value, the number of content devices is expected to increase from 10 billion to 50 billion over the next decade, leaving opportunity for more vulnerabilities to occur.
Mitigating the Risk
All we can do is consider the available data and take action. Luckily the largest issue, user authentication, is a solvable problem. Every healthcare facility should take the following steps, at the bare minimum.
Implement Two-step Authentication
Two-step authentication is an extra layer of security that requires not only a password and username but also a phone number or piece of information only the user should have access to.
Limit access to your network
The fewer credentials in the universe of your connected devices, the smaller the risk. Limit access to those on staff who need it, and always diligently remove users who no longer need access.
Require Stronger Passwords
Tools like EZPD can easily create unique passwords that meet the requirements of a strong password, like character count and diversity.