[BreachExchange] Is the FDA’s cybersecurity guidance improving cyber resilience?

[Audrey McNeil]

http://www.securityinfowatch.com/article/12224734/is-the-fdas-cybersecurity-guidance-improving-cyber-resilience

While politicians and security experts are constantly warning about the
risk of cyber-attacks, they rarely, if ever, mention the risks associated
with the Internet of Things (IoT). This is especially relevant for medical
devices, which are part of the IoT ecosystem and have become a lucrative
target for hackers. Due to a general lack of cybersecurity hygiene in
healthcare and the growing number of electronic health record exfiltration
incidents, the U.S. Drug and Food Administration (FDA) issued a Draft
Cybersecurity Guidance (Post-Market Management of Cybersecurity in Medical
Devices) in January 2016. It outlines more concrete requirements for
assessing the security of connected medical devices. The big question that
remains is whether the proposed guidelines can truly improve cyber
resilience.

A growing number of medical devices are designed to be networked to
facilitate patient care. These devices, like other networked IT systems,
incorporate software that may be vulnerable to cybersecurity threats. While
the increased use of Internet technology and software in medical devices
increases the risks of potential exploitation, these same features also
improve healthcare and increase the ability of healthcare providers to
treat patients. Obviously, protecting patient safety and promoting the
development of innovative technologies has become a delicate balancing act
in today’s dynamic threat landscape.

This holds especially true in light of an advisory that the U.S. Department
of Homeland Security issued in March 2016. It warned of more than 1,400
cybersecurity vulnerabilities in third-party software used in CareFusion's
Pyxis SupplyStation, an automated, networked, supply cabinet used to store
and dispense items ranging from disposable gloves to artificial implants.
This is just one of many examples that illustrates the risks posed by
vulnerabilities in medical devices. If exploited, these vulnerabilities
could lead to physical harm through a cyber-attack. Thus, a scenario
whereby a high ranking politician’s health can be attacked without even
drawing a gun is no longer the plot of a science-fiction thriller, but
rather has become reality.

The FDA’s Draft Cybersecurity Guidance was created to encourage medical
device manufacturers to implement a Cyber Security Risk Management Program
to help identify and remediate vulnerabilities in their devices. The
guidance applies to all medical devices that contain software (including
firmware) or programmable logic, and software-based medical devices.

As a result of this guidance, medical device manufacturers must rethink
their current product development practices and embed not only automated
vulnerability testing into their processes but also invest in running
manual penetration tests to mimic potential cyber-attacks. Offloading these
tasks to the end user community, as was commonly done in the past, is no
longer acceptable. While this adds cost to the manufacturing process, it is
a necessary evil and a potential product differentiator among the medical
device vendors.

While manufacturers should incorporate controls in the design of a product
to help prevent cyber risks, it is essential that they also consider
improvements during device maintenance, since new threats may arise at any
point in a device’s lifecycle. There have been numerous cyber-attacks that
injected malware during the firmware update process, and not as part of the
original software load. Once medical devices have been deployed in the
field, manufacturers should follow the following best practices:

Apply the National Institute of Standards and Technology (NIST) Framework
for Improving Critical Infrastructure Cybersecurity, which covers the core
principles of “Identify, Protect, Detect, Respond, and Recover;”
Leverage external threat information sources to identify cybersecurity
vulnerabilities and imminent risks;
Participate in industry-specific Information Sharing and Analysis
Organizations such as the National Health Information and Sharing and
Analysis Center (NH-ISAC) to gain access to early warning indicators;
Continuously assess and detect the presence and impact of vulnerabilities;
Adopt a coordinated vulnerability disclosure policy and practice; and
Define playbooks and mitigation actions that address cyber risk early and
prior to exploitation.

While the FDA Draft Cybersecurity Guidance is tailored towards medical
device manufacturers, the end user community, namely hospitals and other
healthcare facilities should share the responsibility for identifying,
prioritizing, and remediating cyber risks that threaten interconnected
medical devices. They should follow the same best practices to mitigate any
threats to patient safety and public health.

While the FDA guidance provides some valuable building blocks for
implementing better cybersecurity practices, it is not a silver bullet for
preventing cyber-attacks and data breaches. In this context, some security
experts have criticized the FDA for issuing public statements that call
attention to the severity of device security, yet doing little to enforce
safety practices among manufacturers. That’s because the guidance is not a
regulation that provides incentives or imposes penalties for failure to
follow the proposed best practices.

Furthermore, it’s important to recognize that guidelines and regulations
are static by nature and therefore must evolve to adapt to morphing
threats. In practice, regulatory compliance moves far too slowly to keep up
with cyber-attackers. Guidelines can also expose holes in proposed
measures, which attackers can use as a blueprint to formulate their attack
strategy.

Ultimately, proper security measures and best practices are just one part
of the solution. One of the biggest challenges facing organizations is
making sense of the sheer volume, velocity, and complexity of security data
to detect a cyber-attack. The Target breach was a good example, where an
IoT device was the originating attack vector. Although best-of-breed
technology was in place and able to detect the intrusion early on, the
alerts were buried in a sea of intelligence feeds. This prevented the
security team from connecting the dots and responding in a timely fashion.
Instead, a third-party reported the stolen data had been posted on the
Internet and exposed the breach.

Without automation, it can take weeks, months and even years to perform
risk analysis and piece together an actionable security assessment in big
data environments. Finding ways to use technology to overcome the lack of
human resources needed to extract intelligence from security feeds and
respond in a timely fashion should remain a focal point for organizations.
In this context, the FDA Draft Cybersecurity Guidance is an important
building block, but still just the first step towards implementing
operationalized defenses against cybersecurity risks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160705/acedb5b0/attachment.html>