Medical Vulnerability Management and Common Weakness(s) – The Right Security

Steve Christey Coley, well-known as the co-creator and editor of CVE, joins Jake Kouns, CEO and CISO at RBS, to talk about medical vulnerability management and the distinctive features of medical device security.

Healthcare was the most victimized sector in 2020, accounting for 12.3% of reported breaches according to the 2020 Year End Data Breach QuickView report. Throughout the pandemic hospitals and medical facilities have been the target of ransomware gangs, posing a massive problem for patients and healthcare administrators.

Unlike other industries, vulnerability management for healthcare organizations isn’t as simple as scanning and patching. Due to the complexity of medical devices, some organizations have limited visibility of vulnerabilities, and lack the ability to fix or patch them. To make matters worse, running vulnerability scans can create outages or slow-downs that can put lives at risk. What can healthcare organizations do to protect themselves against adversaries that are bent on attacking them?

Show Notes

0:00 – Welcome and speaker introductions
1:59 – Recap of 2016 talk “Toward Consistent, Usable Security Risk Assessment of Medical Devices” from Steve Christey Coley
9:43 – Changes in risk assessments for medical devices since 2016
13:07 – Differences in medical device security and why other industry standards like CVSS can’t be used for medical device security
16:08 – Malware and ransomware targeting hospitals 
20:37 – Lack of visibility or ability to patch medical devices
25:14 – Terminology and Cyber Physical Systems 
27:56 – Common Weakness Enumeration  
30:42 – CWE Top 25 analysis and report
35:50 – Updates on Common Weakness Scoring System (CWSS) Common Weakness Risk Analysis Framework (CWRAF)
39:34 – Impact of cancelled in-person events on diversity in the security industry 
44:02 – Tips for medical providers starting a risk-based vulnerability management program

Further Reading:

• RVASec 2016 talk “ “Toward Consistent, Usable Security Risk Assessment of Medical Devices” from  Steve Christey Coley
• A Trickbot Assault Shows US Military Hackers’ Growing Reach
• 2020 CWE Top 25 Most Dangerous Software Weaknesses
• 2020 CWE Top 25 Analysis
• Rubric for Applying CVSS to Medical Devices

The Right Security

This is the latest in our video series The Right Security, in which we talk with leaders and veterans in the security industry, tackling the biggest issues impacting organizations today.
Check out The Right Security series on YouTube, and subscribe to the Risk Based Security channel to see new episodes in your feed.