The delicate process for disclosing software and hardware bugs in medical devices has made important strides in recent years, according to experts, as big manufacturers have set up disclosure programs and the threat of lawsuits against security researchers has receded. Health care cybersecurity hands are now looking to capitalize on what they say is growing trust between manufacturers and researchers to strengthen vulnerability disclosure in the industry.
“There’s still a lot of work to be done to make it better, but man, has it come a far way,” Jay Radcliffe, a cybersecurity researcher at medical device manufacturer Boston Scientific, said at the BSides Las Vegas conference Tuesday. “And as a researcher, that makes me a lot more comfortable doing my disclosures and doing my research.”
Radcliffe, who is diabetic, told the story of a presentation he gave at Black Hat in 2011 on hacking insulin pumps.
“At that time, the state of disclosure was pretty chaotic,” he said. “I didn’t feel comfortable enough going to the manufacturer to disclose that before my talk” out of fear of getting sued.
The Digital Millennium Copyright Act, for example, could have been used to prosecute researchers for accessing copyrighted data on a device. But a three-year exemption to that DMCA provision for “good faith” research, instituted in October 2015, has helped lift the specter of lawsuits. And last year, Radcliffe said he worked hand-in-hand with a different manufacturer when he found the same type of vulnerability in an insulin pump.
“They said, ‘Great. We have a vulnerability intake program and we want to work with you and make sure that we address these issues correctly and safely,’” he recalled. That greater collaboration between researchers and manufacturers in health care mirrors the progress in vulnerability disclosure made in other sectors, such as the automotive industry.
Health care delivery organizations are demanding more secure devices, according to Radcliffe. “They actually are doing their homework and they’re asking lots of questions of us – of how we are testing these devices, how are we guaranteeing that these devices that they’re buying are going to be secure not only now, but secure going forward for the next five, 10, 15 years,” he said.
In recent years, industry heavyweights like Johnson & Johnson have set up vulnerability disclosure programs, while the Food and Drug Administration has advised manufacturers to “systematically” address cybersecurity risk, including through a coordinated disclosure process. Nonetheless, industry insiders say more work is needed to make these practices widespread.
Suzanne Schwartz, a top cybersecurity official at the FDA, said she would like to see wider adoption of vulnerability disclosure programs among medical device manufacturers beyond the “two handfuls” of companies that are leading the way. Within the next year, she said, industry groups will be identifying the concerns and challenges that may be keeping many manufacturers from setting up programs. The goal, she said at the BSides panel, is to ramp up the number of companies that have programs from roughly 15 today to, say, 100.
The maturing of vulnerability disclosure programs comes as the health care industry has grappled with the persistent threat of ransomware, with hackers looking to exploit health care facilities’ reliance on sensitive data. In January, for example, the SamSam ransomware struck an Indiana hospital’s computer network, and hospital officials paid hackers roughly $50,000 to unlock the data.
To prepare for attacks like that, Radcliffe said hospitals need to have a clearer understanding of their IT assets and how to make them more secure. “It makes me very nervous to see the amount of devices that go unpatched,” he said.
For her part, Schwartz said the FDA has been working with cybersecurity company MITRE and the states of Massachusetts and New York to produce “playbooks” in helping hospitals prepare for and respond to such cyberattacks.