In 2020, 34% of all breaches involved the healthcare sector. Medical device manufacturers (MDMs) face constant pressure to accelerate digital innovation while struggling to keep their devices safe, secure, and compliant. A crucial part of making that happen is building and maintaining a solid vulnerability management program. We hear a lot about automation and software tools in vulnerability management, but the fact is that a good program doesn’t happen without people. A successful vulnerability management program doesn’t happen without a team of skilled and dedicated professionals.
A vulnerability management team combines vital roles that support the processes and technology previously discussed in this three part blog series. Each role leverages essential capabilities to create a balanced and effective program. These roles cover everything from proactive risk mitigation to vulnerability assessment and remediation.Our final installment of this series focusing on medical device vulnerability management discusses the people and roles that must be fulfilled for medical devices to be secure, safe, and compliant.
Note: The first part of this series, exploring how to manage vulnerabilities during the development process can be found here. The second part of this series, lookin at how to prioritize vulnerabilities for remidiation can be found here.
Building the Foundation
Vulnerability management requires a great deal of planning and architecting to meet numerous regulatory requirements such as the FDA’s premarket and postmarket guidelines on medical device cyberseucity management as well as newer International Medical Device Regulators Forum (IMDRF) “Principles and Practices for Medical Device Security.” This guidance goes beyond current practices providing industry recommendations to assist in the creation of a comprehensive vulnerability management program applicable to any medical device provider.
Some businesses command a whole team to meet regulatory requirements. This team should be broad subject matter experts and help drive the security lifecycle throughout the product organization. Driving the security lifecycle is done through security education, culture, governance, and coordination between all parties contributing to product security.
Protecting The Product
Product security is a role that entails pushing security initiatives for the product and development. This role works as the subject matter expert over development across all product lines to enhance the security of medical devices. While there are situations where they handle the vulnerability assessment and management as well, their primary goal is oversight and high-level vision. They work closely with other team members to drive initiatives that improve security for all medical device products the company makes.
Another product-related role is program security champion. This role partners with the development team and suppliers to secure product architecture and design. These professionals are responsible for securing a specific device or component. They focus on ensuring the product adheres to the required standards and regulations. They review research and findings for medical IoT vulnerabilities and may even work to identify coding or design weaknesses.
Despite the best efforts of product security to prevent vulnerabilities and security issues, there is always the potential for unexpected issues to be discovered. Red teams focus on finding these flaws before the bad actors by using similar techniques to cybercriminals. Tools such as static application security testing (SAST), dynamic application security testing (DAST), fuzzing, and traffic analysis allow them to discover vulnerabilities and flaws early in the development process.
Red teams are the equivalent of an external pen testing engagement without the additional overhead of scheduling and payment. They support the development process and test against the product configured as it is intended to be deployed. This assists in discovering vulnerabilities that may, on their own, be low risk but combined might have a cumulative high impact. The danger may only be present when they are chained together, whereas each alone is a low risk.
When the red team discovers vulnerabilities early, these issues can be escalated to developers and external suppliers. Remediation is less time-consuming and costly while products are still in development.
Timely Incident Response
Despite a program of vulnerabilities being triaged, prioritized, and dealt with promptly, not every security issue is discovered pre-production or new exploits may be discovered once medical devices are in operational use. Post-production security issues are time-sensitive and require an in-depth understanding of potential risk. The product security incident response team (PSIRT) investigates post-production incidents, timely assessment of exploits, and incident resolution.
When incidents happen, be it a vulnerability discovered or a breach of a device, the PSIRT is responsible for in-depth analysis of the situation. They perform root-cause analysis to determine the cause of the incident and any underlying factors that contributed to it.
As part of the incident response process, the team is responsible for communication with all essential stakeholders. This includes internal partners in corporate communications and legal to external vendors, security researchers, and ethical hackers. They work alongside the development teams and external suppliers to create a mitigation plan to deal with the existing incident and liaise with the product security team and program security champions to assess impact across other product lines and to prevent it in the future.
It Takes a Team
Implementing an effective vulnerability management program is a team effort. It requires a range of expertise and experience to meet the myriad of compliance guidelines and regulations. For deeper insights and detailed information on building a first-class vulnerability management team, download Cybellum’s eGuide The Blueprint.