Medical Device Vulnerability Remediation: What Comes First?

Medical Device Vulnerability Remediation: What Comes First?

“An ounce of prevention is worth a pound of cure,” so the saying goes. Yet, prevention is never 100% guaranteed when it comes to cyberattacks and the rampant vulnerabilities that plague connected medical devices. As discussed at the beginning of this blog series, IoMT-focused cyberattacks have occurred in 82% of healthcare organizations. These attacks often stem from vulnerabilities embedded in the devices themselves.

Once you’ve identified the applicable vulnerabilities, you face the daunting challenge of determining what to address first. Do you focus on the highest risk vulnerabilities first? Or maybe those with lower risk but that are easier to exploit? Having good processes in place improves prioritization allowing you to maximize the risk reduction.

In our second part of this three-part blog series focusing on vulnerability management for medical devices, we’ll explore the critical process of prioritizing vulnerabilities for remediation.

Note: The first part of this series, exploring how to manage vulnerabilities during the development process can be found here. The third and final part, looking into the the people and roles needed for a succesfull vulnerability management program can be found here.

Critical Condition – When Everything Is High-Impact

Wouldn’t it be nice if vulnerabilities occurred in neatly ordered hierarchies that allowed organized remediation? Unfortunately, the reality is closer to the flow of an emergency room — everything disastrous happens at once. Often organizations identify multiple high-impact vulnerabilities that threaten consumer safety as well as serious production, financial, or reputational damage if exploited. Unless you have unlimited resources, decisions must be made. It’s easy to get overloaded or stymied into a state of ‘analysis paralysis’ when deciding the best remediation sequence. However, it’s possible to categorize and systematically assemble an optimal remediation plan with a few straightforward questions.

This problem requires the same approach utilized in the emergency room scenario mentioned above. Triage takes place and establishes priority based on a comprehensive vulnerability assessment process. This includes assessing what the vulnerability does, can it be exploited in your product, and is the product in production or development. This assessment requires a holistic understanding of security, the product, and the use cases.

What Does It Do?

Before you can determine how to prioritize a vulnerability, you need to have a fundamental understanding of what the vulnerability does. This requires a combination of knowing how attackers can exploit it and what it will do. There are multiple ways for vulnerabilities to be triggered. How complicated it is to exploit directly affects how dangerous it is. An exploit that can be executed over the internet without an existing user taking action is far easier to use than one that requires direct physical access to the devices. Knowing how bad actors can leverage a vulnerability is crucial for later steps.

The other component of understanding what a vulnerability does is knowing the potential consequences and impact when the exploit is executed. The impact can run the gambit from causing a minor glitch in the visible output to gaining complete control over the device. Once the complexity and the impact are assessed, these factors together will allow you to evaluate and rank the vulnerabilities for remediation.

Can Attackers Exploit It?

Once you understand what a vulnerability does, you can directly assess whether an attacker could trigger the exploit on your device. Context-based analysis is a process that helps businesses understand if the way their product is implemented or utilized might prevent a vulnerability from being leveraged for an attack.

For instance, a known vulnerability might specifically use a USB interface as an attack vector for it to execute. Knowing whether or not your product has a USB port enabled on it by default is critical for determining whether or not the component truly is vulnerable. For a software engineer, assessing this might require collaborating across teams to determine whether the USB port is enabled by default in production.

So even if the vulnerability exists in your software, mitigating circumstances such as the disabled USB port mentioned above, may reduce the chance that cybercriminals will execute the exploit. This process is a quick way to de-prioritize vulnerabilities an attacker is unlikely to leverage.

Does it Affect a Product in Operation?

The final question to answer when prioritizing vulnerability remediation is whether or not the product is in production or whether it is still under development. Vulnerabilities for devices in production are far more critical to remediate than those still in development. This is because there is more exposure to the active criminal element. Customers (HDOs) and users (patients) expect medical devices to be safe and secure, which escalates the priority for dealing with these vulnerabilities.

On the other hand, vulnerabilities on products still in development are less urgent. Instead, the development team can prioritize them and work them into the development cycle prior to release. This allows this type of vulnerability to be moved lower on the priority list for remediation.

Bake It Into the Process

Complete vulnerability management requires building out the entire lifecycle to ensure all aspects are addressed. Triaging and prioritization are only a piece of a holistic vulnerability management program. For medical cybersecurity, the guidelines and standards from the IMDRF, European Commission MDCG, FDA, and others define an in-depth process that governs how vulnerabilities are assessed, mitigated, and continually monitored.

Vulnerability management starts with an in-depth assessment of the product. This begins with gathering an inventory of the various software components to create a comprehensive software bill of materials(SBOM / CBOM). From here, research is conducted on the different vulnerabilities, be those CVEs which are correlated against the known software assets or zero-day coding weaknesses. At this point, vulnerability assessment and prioritization can occur.

Finally, the entire product security lifecycle needs to be tracked and monitored via risk exposure dashboards and reports. This final step adds in the governance and tracking to provide visibility into the entire process.

Managing Vulnerabilities Efficiently

Effective vulnerability management programs require organizations to understand how to assess risk and prioritize mitigation activities in the context of the specific device and specific threat. To do this, teams must collaborate to create a holistic understanding of the product and its implementation. This information is crucial to triage vulnerabilities and determine prioritization and focus.

For deeper insights and detailed information on processes and policies supporting an effective and efficient vulnerability management program, download Cybellum’s eGuide The Blueprint.