Posted 05 April 2016 | By Michael Mezher

A prominent cybersecurity researcher says the US Food and Drug Administration (FDA) needs to "buckle down" and regulate medical device cybersecurity more firmly.

The warning comes after the US Department of Homeland Security (DHS) issued an advisory last week warning of more than 1,400 cybersecurity vulnerabilities found in third-party software used in CareFusion's Pyxis SupplyStation, an automated, networked, supply cabinet used to store and dispense supplies ranging from disposable gloves to artificial implants.

The vulnerabilities were identified by independent cybersecurity researchers Mike Ahmadi and Billy Rios using a copy of the Pyxis SupplyStation's firmware, or the software used to run a product's hardware and systems, that Rios obtained. According to the advisory, the vulnerabilities expose six versions Pyxis SupplyStation systems running Microsoft Windows Server 2003/XP to remote attacks using readily available exploits.

Critique

Ahmadi has been vocal in his criticism of FDA's handling of device cybersecurity, and told Focus he believes the agency should impose stricter requirements on manufacturers.

"What are you going to do when all of a sudden you're hit with 1,400 vulnerabilities for one product," Ahmadi said. "The main reason why I gave this to the FDA was not to really create a big CERT [Computer Emergency Readiness Team] disclosure, but it was because I really wanted to point out to the FDA that their regulatory approach to cybersecurity was highly inadequate … I wanted to hit them with a really big number."

The disclosure signaled a tide-change to Ahmadi, who told Focus that CareFusion's response to the disclosure was a "huge show of leadership," in contrast to previous high-profile vulnerability disclosures, such as the recent disclosure for Hospira's PCA infusion pump.

Recently, some device manufacturers have taken steps to be more forthcoming with cybersecurity issues, with many, including CareFusion, creating dedicated landing pages with dedicated contacts for reporting cybersecurity issues.

When reached for comment, CareFusion spokesman Troy Kirkpatrick responded to Ahmadi's statement saying: "We have worked hard over the past few years to take a leadership position on product security. We understand this is an important issue for the healthcare industry and our customers."

Kirkpatrick's statement echoes statements made by Roberto Suarez, a product security expert at Becton Dickinson, which bought CareFusion in 2015. During FDA's public workshop on medical device cybersecurity in January, Suarez spoke about fostering a positive culture around cybersecurity, saying his "goal is to build a community for product security [and] a culture where we demystify security issues to developers and have them embrace this change."

Pyxis Vulnerabilities

While the Pyxis SupplyStation is not regulated as a medical device by FDA, it has many parallels to networked medical devices used in a hospital setting.

CareFusion says that all 1,418 of the known vulnerabilities were found in seven third-party software applications used in older models of the Pyxis SupplyStation, including Windows XP and Symantec pcAnywhere 10.5.

Ahmadi says the vulnerabilities come as no surprise, as Microsoft stopped patching security vulnerabilities in Windows XP in 2014.

Roughly half of the vulnerabilities are classified as "high severity" based on DHS's National Vulnerability Database Common Vulnerability Scoring System (NVD CVSS), which provides a ranking system for vulnerabilities based on a zero to 10 scale. Ahmadi said that a vulnerability in the seven to 10 range represents a vulnerability that would be "trivial" to exploit.

According to CareFusion, the vulnerabilities "represent little or no risk to patient safety," and that the risks posed can be mitigated by taking "defensive measures to minimize the risk of exploitation."

However, Ahmadi's concerns go beyond the Pyxis SupplyStation. The issue, Ahmadi said, is that as long as devices are networked together, a vulnerability in one could make it easier for an attacker to access other devices within a trusted network. "If I'm in this device I could potentially access every device it's connected to," he said.

Additionally, Ahmadi pointed out that many other devices run the same third party software as the Pyxis SupplyStation, which makes them susceptible to the same vulnerabilities.

Because the affected versions of the Pyxis SupplyStation are end-of-life, CareFusion says it will not be releasing a patch, and instead is recommending customers either upgrade to newer versions of the device or implement "compensating security mitigations" for older versions.

For legacy systems that remain in operation, CareFusion says customers should isolate the systems from the internet and any untrusted systems and using a virtual private network (VPN) whenever online connectivity or remote access is required. Additionally, CareFusion says customers should monitor all traffic to the affected devices, close off any unused communication ports and use a firewall to separate the systems from the customer's business network.

When asked whether he thinks CareFusion's recommendations are adequate to mitigate risks posed by the vulnerabilities, Ahmadi agreed, saying that isolating the devices and restricting network access could protect from malicious attacks.

Vulnerability Disclosure

Vulnerability disclosures such as this raise an important question about the safety and security of medical devices, especially older, networked devices that may continue to be used long after their manufacturers provide support for them.

According to Ahmadi, he and Rios discovered the vulnerabilities in the Pyxis SupplyStation while testing a vulnerability detection tool called AppCheck. "We were essentially testing out the tool," Ahmadi said, adding that they found "a huge number of vulnerabilities" in other software they checked.

How such vulnerabilities are disclosed has been a contentious issue between industry, the cybersecurity research community and federal agencies, such as DHS and FDA.

With some disclosures, device manufacturers have been reluctant to engage with cybersecurity researchers, while with others, cybersecurity researchers have disclosed vulnerabilities without reporting them to the manufacturer first.

In this case, Ahmadi said he reported the vulnerabilities he and Rios discovered directly to FDA last summer. One of the reasons Ahmadi said he went directly to FDA is that several years prior he had tried to talk to CareFusion on an unrelated matter, but was given the runaround by the company.

From there, FDA reported the vulnerabilities to DHS, which is the lead agency handling cybersecurity through its Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). At that point, the disclosure process was between CareFusion and ICS-CERT.

During the process, Ahmadi said he was contacted by ICS-CERT, who informed him that CareFusion had confirmed the vulnerabilities and was voluntarily coming forward to acknowledge them in five additional models.

This took Ahmadi a little bit by surprise, "A lot of times one of the first things we see is many vendors will be in denial and try to downplay [the vulnerabilities]," he said, adding that CareFusion was "very collaborative, very cooperative."

Cybersecurity and Medical Devices

When asked about who should be responsible for ensuring the security of older devices, Ahmadi said much of the onus should fall on the end-users.

"When you buy a car, it's an expensive thing and there's a warranty period on it. [The manufacturer] says the emissions system will not pollute the environment, but cars sometimes last much longer than the warranty period ... If I choose to use the car after that I have to get it smogged and pass an emissions check," he said.

"I think it's reasonable for a medical device manufacturer to have a stated end-of-life for a medical device, and have a stated end-of-life for cybersecurity for the devices," he added.

FDA and Cybersecurity

In recent years, FDA has placed a growing emphasis on medical device cybersecurity. In January, the agency finalized its guidance for premarket device cybersecurity considerations and issued a new draft guidance discussing its expectations for postmarket cybersecurity measures.

However, Ahmadi said he believes the agency's postmarket device cybersecurity guidance gives manufacturers too big of an out for reporting vulnerabilities. According to the guidance, manufacturers can avoid reporting vulnerabilities if:

There are no known serious adverse events or deaths associated with the vulnerability, Within 30 days of learning of the vulnerability, the manufacturer identifies and implements device changes and/or compensating controls to bring the residual risk to an acceptable level and notifies users, and The manufacturer is a participating member of an [Information Sharing and Analysis Organization] ISAO, such as [National Health Information and Sharing and Analysis Center] NH-ISAC.

Ahmadi said he believes FDA should require manufacturers to go beyond just being members of an ISAO, and should require active participation.

ICS-CERT Advisory, CareFusion