Cyber Safety Disclosure

Vulnerability disclosures for safety-critical systems are f’n hard. Even when the finder/reporter and receiver/manufacturer are working closely in good faith, things get weird AF. When there’s low levels of trust, the weird go pro and things quickly break down. But no matter how frustrated we get with each other, we can and must find common ground around the desire to protect patients. Time to put the hard problems on the table and fight together to address them, rather than keeping on fighting each other.

This discussion will cover ways to overcome some of the hard problems from vulnerability disclosure in safety-critical systems, through a lens of healthcare and medical device disclosures. This session will cover:

The problem with understanding severity and criticality. CVE, CVSS, etc. – CVE and CVSS have issues (see also, our BSidesLV talk), but even when we agree they work well, it’s not generally for safety-critical industries.

Communications – Reporter, manufacturer, FDA, DHS, AHA, NH-ISAC, and others all put out information on the same issue, often in conflict. Where is the single source of truth? Who does a doctor/patient listen to? How do you drive alignment?

Timelines – Comms takes time. Fixes take time. Often these are staggered, not in parallel. Often they rely on outdated methods like newspaper notices, snail mail, etc.

Relay Race – Write the bug -> find the bug -> fix the bug -> test the fix -> publish the fix -> apply the fix. And if you skip a step, or someone doesn’t do their job, patients may be at risk from going public.

Year-0 for Healthcare – Medical device makers don’t have 20+ years experience with disclosures like in software/internet. Sometimes they think they don’t MAKE mistakes, or they’re sufficiently bounded to prevent harm from vulnerabilities.

Technical Event Horizon – Even when you can show a hack is possible, it may not cause physical effects; even when it does there may be non-technical mitigations already in place; even when there aren’t, the harm may be detectable before it becomes truly harmful. Researchers can’t see that from their vantage point.

Presented by