Medical Device Vulnerability List Topped By User Authentication Problems

Posted on August 27, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a government organization which addresses threats to US infrastructure, helps numerous industries share data on cybersecurity threats. This includes building a repository of cybersecurity advisories which medical device manufacturers can use to communicate with customers.

According to a new analysis by security vendor MedCrypt, the number of cybersecurity threats reported to ICS-CERT has been growing over time. ICS-CERT released 47 advisories related to medical devices between 2013 and August 1, 2018, which included a total of 122 cybersecurity vulnerabilities.  While 12 advisories were released between October 2013 and late December 2016, it issued 35 advisories between late December 2016 to August 1 of this year. Also, while six companies were identified as having faced cybersecurity issues during the first interval, 18 were noted during the second.

The number of vulnerabilities noted has climbed as well, from 37 during the first time period to 85 during the second. According to the MedCrypt analysis, 66% of the reported advisories were related to code defects and user authentication issues. The most common cause was user authentication, which climbed from 16 to 36 instances between the two time periods, followed by code defects, which increased from 5 to 24 instances. Other areas of vulnerability included encryption issues, third-party libraries, system configuration and operating system problems.

It’s hard to determine what all of this means by scanning these statistics, interesting though they may be, but MedCrypt had some additional observations to share about the ICS-CERT data as a whole:

  • The complexity of the vulnerabilities discovered is likely to increase. Some of the more deeply technical kinds of vulnerabilities found in other ICS-CERT participating industries haven’t turned up in medical device disclosure data, including less than 10% of those found in subcategories, but they will. “Most [advisories] have focused on ‘low hanging fruit,’ like user authentication,” the report observes.
  • So far, ICS-CERT participants have reported finding few vulnerabilities related to cryptography issues, such as vulnerability reports citing the commonly-used OpenSSL open-source encryption library.
  • User authentication problems are becoming more common, accounting for 42.3% of vulnerabilities included in advisories after January 1, 2017. The report suggests the future advisories will address concerns emerging from deeper in the technology stack as medical device cybersecurity matures.

As connected medical devices become standard in healthcare organizations, medical device makers will spend more resources on securing them, and eventually, they will bake cybersecurity protections into their engineering, R&D and quality processes, MedCrypt predicts.