What Oracle, Medical Device Makers Have in CommonBoth Seem Annoyed by Security Flaws Discovered by Third Parties
The outrage directed at Oracle Corp.'s chief security officer on social media and elsewhere after a recent blog post in which she scolded customers and third-party researchers who "reverse engineer" or scan Oracle products to look for security flaws had a familiar ring. Healthcare security experts tell me some medical device makers appear similarly oblivious when it comes to the cybersecurity of their products.
See Also: A Toolkit for CISOs
For instance, the FDA recently issued an advisory - for the first time ever - urging healthcare organizations to basically pull the plug on a line of infusion pumps from medical device maker Hospira after independent researchers discovered vulnerabilities in those devices that could allow an unauthorized user to control the device and change the dosage of medication the pump delivers (see FDA: Discontinue Use of Flawed Infusion Pumps).
"It takes six months to a year to get a patch. That's not acceptable."
The FDA said neither it nor Hospira were aware of any patient adverse events or unauthorized access of the Symbiq infusion system in a healthcare setting. However, some cybersecurity experts believe that the unusual warning from FDA urging Hospira customers to transition to other infusion pumps reflected the agency's exasperation after Hospira acted much too slowly to fix similar flaws that researchers reported about other Hospira products more than a year ago (see FDA: Infusion Pumps Have Vulnerabilities).
In a statement released at the time FDA issued its latest warning, Hospira said it "has been actively working with the DHS and the FDA regarding reported vulnerabilities to potential illegal cyberattacks on our infusion pumps, including specific vulnerabilities regarding the Symbiq infusion pump." Hospira tells me that, looking ahead, "in alignment with Hospira's cybersecurity roadmap, we've designed our next-generation infusion systems with enhanced network security protections in place." The company didn't immediately respond to my inquiry about how security protections are being enhanced.
Why the Delay?
I think some medical device manufacturers are as annoyed by independent researchers, such as Billy Rios - who found the Hospira bugs - as Oracle is by customers and other third parties who dissect software products looking for security problems.
Rios says he privately reported Hospira product vulnerabilities to the vendor, as well as the Department of Homeland Security and the FDA, more than a year ago. But then another independent researcher found similar issues, and went public, resulting in DHS and FDA issuing advisories in May for the healthcare sector. Last month, the FDA took the extraordinary step of telling hospitals and clinics to stop using another line of Hospira devices, the Symbiq infusion pumps, due to similar problems and replace them with something else.
Rios believes the FDA eventually will issue similar warnings about other devices from Hospira and possibly other vendors. "Hospira has still not provided a list of all affected products; all the data thus far has come from cybersecurity researchers," Rios told me.
Besides the apparent reluctance to fix bugs found in specific products by researchers, some medical device makers are also slow to address problems that are discovered in the third-party operating systems many of these products use. The medical device makers often claim they can't fix those problems because of FDA product review rules.
"FDA has said to medical device manufacturers, 'security patches - you don't have to go back and re-verify your products with us - just fix it," says Cris Ewell, CISO at Seattle Children's Hospital. But once a vulnerability is found, "it takes six months to a year to get a patch" from the medical device maker, he says. "That's not acceptable."
Until the FDA issues more cyber-related warnings about specific devices, healthcare entities should consider taking several steps to safeguard their patients, and their other systems, from cyber-risks.
"In the short term, CIOs need to build 'zero day' defenses, creating an electronic fence around vulnerable devices," writes John Halamka, CIO of Beth Israel Deaconess Medical Center, in a recent blog post, in which he expressed frustration about how some medical device makers handle cybersecurity issues.
But medical devices makers also need to be much more proactive, Halamka says. That includes manufacturers promptly updating their products, such as by issuing patches, and designing medical devices from the ground up with security as a foundational component, he says.
"Over the past few years, I've asked medical device manufacturers to give me a precise map of the network ports and protocols used by their devices so that I can build a "pinpoint" firewall - only allowing the minimum necessary transactions from/to the device. Many manufacturers do not seem to know the minimum necessary communication requirements for their products," Halamka writes.
"My advice, after securing your own perimeter - get the CTOs of your medical devices on the phone and ask them for their security roadmap. If they do not have one, plan to change your vendor. We're already doing that with some devices because attention to this issue by some manufacturers has been insufficient."
Source of Frustration
As for Oracle, the alleged flaws found by independent researchers who use vulnerability-scanning tools - or by customers who apparently break the rules of their end user license agreements by "reverse engineering" the company's software - are no doubt frustrating and expensive to chase, especially because Oracle's CSO says most of those purported problems are false alarms.
And perhaps some medical device makers view third-party cyber flaw discoveries as annoying for similar reasons. But unlike Oracle, medical device makers have a lot more at stake: Patient's lives are potentially in danger if hackers decide to mess around with unpatched flaws.
So, medical device makers, it's time to get going. Either design your products with cybersecurity in mind, or be prepared to take prompt action when others find your mistakes.