Davey Winder: Medical device vulnerability scoring flaws put patients’ lives at risk

In his latest column for Digital Health News, our cyber security specialist, Davey Winder, explores the complicated world of security rating systems for medial device vulnerabilities.

In July, Digital Health reported how medical tech outfit Medtronic had identified a vulnerability in some of its insulin pumps.

“The vulnerability allows a potential attacker with special technical skills and equipment to potentially send radio frequency signals to a nearby insulin pump to change settings, impacting insulin delivery,” a Medtronic statement confirmed.

Given that a change in reported insulin levels could lead to the wrong dose being administered, and that could lead to diabetic coma and even death, you’d probably be surprised to learn that this vulnerability, CVE-2019-10964, was only given a medium Common Vulnerability Scoring System (CVSS) rating of 5.8

Dangerously flawed system

It doesn’t surprise healthcare cybersecurity specialists CyberMDX though. CyberMDX researchers recently found vulnerabilities in another drug infusion pump and an anesthetic machine.

The infusion pump vulnerability allowed threat actors to access the device monitoring and event logs but posed no actual harm to patients. It had a high CVSS rating 7.3 while the anesthetic device vulnerability rated at just 5.3 could be used to change the composition of aspirated gasses used and as such impact patient safety.

I’ve been speaking to Elad Luz, head of research at CyberMDX, who argues with some merit that the current CVSS rating system is dangerously flawed as far as the health sector is concerned.

“The current paradigm for scoring vulnerabilities is based on a scenario where loss of life or patient harm as a result of exploitation is not calculated,” Luz explains.

“Among other factors, the scoring system was designed to measure the level of penetration into the network and effectiveness of the hack itself, but when it comes to vulnerabilities impacting medical devices, the stakes are far greater.”

Unfit for purpose?

He’s not wrong either, and to the casual observer (or even a security geek like me), the rating system appears to be unfit for purpose where medical device vulnerabilities are concerned.

“The scoring rubric must be adjusted in order to take the potential effect on a patient‘s life into consideration,” Luz insists.

“As any system lacking that factor is based on an outdated methodology and prevents the regulatory bodies and medical professionals from prioritizing vulnerabilities properly.”

Internet of Medical Things

The whole issue becomes even more serious when you understand just how far the Internet of Medical Things (IoMT) is dragging its feet as far as cybersecurity standards are concerned. The whole Internet of Things (IoT) landscape is littered with unpatched vulnerabilities of course, but within the health setting an added urgency is apparent.

“Thankfully, the gap in device scoring has started to garner some attention within the cyber, medical and regulatory communities,” according to Luz.

He also told me that he expects new initiatives to take form in order to “address the shortcomings of medical device scoring” and that “all parties involved must work together to correct the current issues”.

Pace of change – slow but necessary

Of course, adjusting the CVSS rating system to acknowledge the impact on life, and potentially death, in the medical devices sector isn’t going to happen overnight.

The pace of change when it comes to such standards is traditionally painfully slow. Yet the pace of change in how healthcare is being delivered is, as Luz concludes, “developing quickly and opening up too many gaps to ignore it”.

But change it must. The impact of making a statement about how the often “just for security geeks” world of vulnerability scoring does have real-life consequences will hopefully be felt by device manufacturers and healthcare providers alike.

Perhaps, as a stopgap solution, NHS Digital could act as piggy-in-the-middle, catching the vulnerability ball and making sure it gets thrown in the direction of a more patient health-oriented severity rating?

What will be enough for change to happen?

I appreciate that the nay-sayers will argue that there haven’t been any real-world exploits, that we know about, of these various medical device vulnerabilities. As such, they will conclude, the severity ratings are just fine and dandy.

There are two things wrong with this assumption; that not being exploited is the same as cannot be exploited, and there is always going to be a first time.

If that first time happens to exploit a low severity rated vulnerability and ends up with a patient losing their life, will that be enough to change opinion?

Both Elad Luz and I, sincerely hope that isn’t the catalyst for change that is needed.