Vulnerability disclosures are a critical part of strengthening medical device security, and in recent years, researchers have ramped up their own analyses based on their metrics to support the healthcare sector. But the oft fear-based narrative has some stakeholders concerned.
While stressing the importance of vulnerability research and continued support for healthcare providers, Saif Abed, MD, director of cybersecurity advisory services for the AbedGraham Group, makes the case for simplifying research specific to healthcare.
Since the wave of cyberattacks targeting the healthcare sector began in 2016, a common topic for security presenters and vendors is the potential for an attacker to crack into a vulnerable device, like an infusion pump, and interfere with the dosage, thus causing a catastrophic event.
The narrative has generated a great deal of awareness around the importance of medical device security, which certainly can’t be understated, given that securing the complex device ecosystem is one of the biggest security challenges facing healthcare providers.
But now that awareness in healthcare has piqued, these narratives based on fear may be doing a disservice to healthcare decision makers tasked with prioritizing needed security projects, while struggling with a small budget and staffing shortages, explained Abed.
“A lot of the marketing people don't realize that this might create some clicks when you write a message like that, but people like me are going to be critical and share our criticism with decision makers, if and when asked about it,” said Abed.
To be clear, vulnerability research is critical to understanding ongoing threats to the healthcare ecosystem, he added. But vendors and researchers should ensure they’re not muddying the waters in their attempts to inform the sector of the latest risks.
Hypothetical dangers versus tangible, scalable attacks
Despite the vast digital innovation in healthcare, systemic cybersecurity issues persist for the majority of provider organizations. Security and IT leaders operating outside healthcare would likely be astounded with how entities secure — or don’t secure — their complex ecosystems.
The list of head-scratching elements include a heavy reliance on legacy systems, prominent use of virtual private networks (VPN), low- to slow-adoption of multi-factor authentication (MFA), lack of visibility into complete device inventories, continued use of unpatched or end-of-life devices, and, for some, the lack of a designated security leader.
With stringent resources (just 3% to 6% of budgets designated to cybersecurity) and staffing shortages, those tasked with security must wisely choose the most efficient way to secure the network and are often still left accepting a certain amount of risk.
While disclosures are key to supporting providers with determining how to reduce more prevalent risks, Abed explained the way these disclosures are framed can impact decision making.
Many research narratives contain phrases that pose attack scenarios based on a single device, he continued. There are numerous hypothetical attack models that involve interfering with a device function, or changing medication flows for a specific type of device. But why would an actor conduct an attack on one person?
Outside of very specific scenarios with likely political motivations, these types of attacks are far less likely than those able to be completed at scale, Abed explained. “These attack models are unlikely to happen because the existing threat models for ransomware are too easy. It's just too easy. If it ain't broke from a criminal perspective, why fix it?”
For ransomware or cyberattacks to be worthwhile to cybercriminals, the attacks must be scalable and “compelling enough to do it that way, versus exploiting a VPN or SMB vulnerability.” And “those attacks have to stop being viable threat models anymore for them to consider a more drastic method, and it also has to be scalable,” said Abed.
In short, “the threat model isn't compelling,” stressed Abed. It reiterates the point that without clinician or broader healthcare experience, some researchers can’t understand the context needed for vulnerability-based attacks. As such, “what they postulate will not be relevant.”
Healthcare doesn’t require a fear-based narrative, given the very nature of its complex ecosystem. The average hospital relies on thousands of devices to maintain safe patient care but lacks visibility into the inventory, device communication, and whether a device contains the latest disclosed critical flaw.
Under the right circumstances, any known flaw could be leveraged to give an attacker a foothold into an organization to then execute a more elaborate chain, which will enable a more scalable attack, he explained.
“No one is incentivized to conduct an attack that takes down a couple of devices,” said Abed. “What can I ransom with a couple of devices that you can replace or backup? There is a use case for these, but it should not be the primary narrative.”
Limited healthcare resources beg for direct, parsed research
The importance of third-party vulnerability research is paramount. Healthcare needs outside, freely available research. The concern for Abed is that healthcare is already inundated with patient safety concerns, while determining where to spend limited resources.
Given the ongoing risk to patient safety and its limitations, it’s crucial for security vendors to be mindful of language when they market their solutions or white papers to the sector — especially when it comes to potential attack vectors as these narratives often drive decision making from the top — and could pull funds from where the resources are actually needed the most.
“It's not just that the messaging isn't realistic,” it’s that the research could be flagged in a presentation about their organization’s security by healthcare executives, not necessarily the security team. When budgets are tight, fear-based attack scenarios can have board members pulling funds into major security projects that may not be the most pressing risk to the network.
“They might say, ‘Wow, that's really scary. We should prioritize addressing this, here's a budget to specifically address this thing because I don't want anyone messing with our patients’ infusion pumps’,” said Abed.
“Whereas, in reality, the money should be going to addressing their legacy infrastructure, routers, server appliances, and VPN vulnerabilities,” he added. “It’s these things causing the greatest risk. And some people will look at the messaging, not the research, then take action based on the hypothetical — and that's problematic.”
It’s these common security flaws being exploited in practice. Abed added that these narratives become a distraction because some executives don’t understand the correlation between VPN vulnerabilities and patient care, due the attacking the lowest-hanging fruit.
In the end, decision makers may end up spending money on something likely intangible, “while still being completely wide open to the most common and scalable attacks.”
If the narrative is still important to the vendor, he stressed that it still must be “contextually correct.” Because right now, it’s imperative that providers “get their house in order today,” especially if the ongoing targeting continues and healthcare continues to make these attacks easy.
“If you tell me that this medical device can be compromised, but as a point of lateral spread to infiltrate the rest of the network, I think that's compelling,” said Abed. “It's far more likely than someone trying to assassinate someone… a national security threat isn't targeting one person's pacemaker. It's not happening, which makes it not particularly compelling. It’s about scale.”
The research community does a great service, and should be supported particularly around infusion pumps, CT scanners, ultrasound machines, surgical robots, and other tools.
However, the disservice to healthcare comes from “the marketing side”, which may not have the experience to dictate how the research should be presented from a feasibility side in healthcare, he explained. Particularly when pitching to someone without healthcare experience, they could be setting up poor narratives that further distract from needed foundational security measures.