The interest in medical device cybersecurity is rapidly increasing. Fortunately, so far, there are no publicly-reported incidents in which compromised devices were known to adversely affect patient safety, but nobody wants to see such an event take place. Vulnerabilities -- flaws in coding or misconfigurations -- are discovered throughout the lifecycle of medical devices. Attackers exploiting these vulnerabilities can steal PHI, use a device as an entry point into a hospital network, or intentionally cause patient harm or interfere with treatment.
All stakeholders need to assess the severity and risk of these vulnerabilities, but they have different perspectives and needs. Manufacturers want to prioritize vulnerabilities and determine if an emergency patch is needed or if the fix can be folded into the regular maintenance program.
Manufacturers know how to perform safety analysis with respect to intended use and accidental misuse, but now they must extend their analysis to consider the impact of the malicious misuse of a sentient adversary, and they must perform such analysis in two different time frames: pre-market (before submitting the device for FDA approval) and post-market (after vulnerabilities have been discovered). Security researchers know how to discover vulnerabilities, but they might not have the knowledge or context to link their technical findings to a real-world clinical impact, and a device’s own safety-oriented architecture might prevent vulnerabilities from affecting patient safety. Healthcare providers want to know if their devices are at risk and if their compensating controls are sufficient or need to be increased.
While clinical engineers already have a full plate managing day-to-day risk such as alert fatigue, they also must determine how to prioritize and mitigate new vulnerabilities with respect to patient safety, in light of potentially hyped or inaccurate information. Further, hospitals may be required to perform risk assessment along other dimensions such as HIPAA compliance, clinical usefulness, and the role of medical devices as pivot points for attacking other IT assets. Patients want to weigh the risks of being treated with the devices. Finally, the FDA wants to know if they need to act, perhaps by issuing a safety communication or even recalling the device.
In support of the FDA’s Center for Devices and Radiological Health (CDRH), MITRE is working with the medical device community to adapt CVSS for medical devices. We will leverage other severity and risk scoring systems to take into account such elements as intrinsic and external controls, and the impact on patient safety. In particular, we're looking at the Common Weakness Scoring System (CWSS) and the associated Common Weakness Risk Assessment Framework (CWRAF).
We will describe how CVSS and other IT-oriented mechanisms may help in performing more consistent risk assessment of medical devices across multiple stakeholders. We will also cover problem areas that cannot be addressed by traditional IT-based approaches. Our talk is intended to inform and engage with researchers, manufacturers, clinical engineers, patients, and interested parties from other industries for which physical safety and cybersecurity are intertwined.
Steve Christey Coley is a Principal Information Security Engineer in the Cyber Security Division at The MITRE Corporation, supporting the FDA CDRH on Medical Device Cyber Security. He likes changing his last name every two decades or so. With cybersecurity experience dating back to 1993, Steve was the co-creator and Editor of the Common Vulnerabilities and Exposures (CVE) list and chair of the CVE Editorial Board from 1999 to 2015. He is the technical lead for the Common Weakness Enumeration (CWE), Common Weakness Scoring System (CWSS), and the community-driven CWE/SANS Top 25 Software Most Dangerous Software Errors. He was a co-author of the influential "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002. He was an active contributor to other efforts including the Common Vulnerability Scoring System (CVSS) version 2, the Common Vulnerability Reporting Framework (CVRF), NIST's Static Analysis Tool Exposition (SATE), and certain non-public projects involving the assessment of static code analysis tools, and the SANS Secure Programming exams. His current interests include ensuring that emerging technologies do not repeat the chaotic path to effective vulnerability management that occurred with enterprise software in the 1990s; secure software development and testing; consumer-friendly software security metrics; the theoretical underpinnings of vulnerabilities; developing analogies between epidemiology and information security (e.g. within vulnerability statistics); improving the exchange of vulnerability information across global regions, language boundaries, emerging industries, and newly-connected technical domains; and making the cybersecurity profession more inclusive, diverse, and accessible to everybody who seeks a place in it. He holds a B.S. in Computer Science from Hobart College.
Penny Chase is the Information Technology and Cyber Security Integrator in the Information Technology Technical Center at The MITRE Corporation. In this role Penny promotes collaboration across MITRE’s Information Technology and Cyber Security Technical Centers. Previously she was the Department Head for Human Language Technology within the Information Technology Technical Center. She has led MITRE and government-sponsored projects in developing structured representations for malware and threat information, security visualization, software assurance, malware analysis, reverse engineering, software architecture and design pattern recovery, network penetration testing, legacy database encapsulation, machine learning, and discourse-based natural language interfaces. Penny’s research has been presented at dozens of conferences. Penny is the Principal Investigator of a MITRE Sponsored Research Project on medical device security and safety, and supports MITRE’s FDA/CDRH project on medical device cybersecurity. She is also the Principal Investigator of the Sharing Healthcare Fraud Data MSR. In addition, Penny leads the DHS Malware Attribute Enumeration and Characterization (MAEC) project for DHS. Previously she chaired the DHS/DOD/NIST Software Assurance Forum Working Group on Malware; served as the Deputy Director of the ARDA Northeast Regional Research Center, managing workshops that addressed Intelligence Community challenge problems; and was a member of the NASA Advisory Council’s subcommittee on Avionics, Software, and Cybersecurity. Penny received her Bachelor of Arts in Mathematics and History (withHarpur College Honors) from the State University of New York at Binghamton in 1975. She received her Master of Arts in the History of Science from Harvard University in 1976 and her Master of Science in Computer Science from Harvard University in 1986.