Talking about Cybersecurity Vulnerabilities in Medical Devices Shouldn’t be Taboo
by Nastassia Tamari, Director of Information Security Operations for BD
Nastassia Tamari, Director of Information Security Operations for BD
According to the National Vulnerability Database, 18,353 vulnerabilities were reported in 2020. That’s nearly three times the volume of vulnerabilities reported five years ago, and higher than any year in the previous two decades. Given the rise in connected devices, this increase is not entirely unexpected. If that’s the case, shouldn’t we be seeing more vulnerability disclosures related to medical devices?
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Agency (CISA) publishes advisories for vulnerabilities in industrial control systems. Each advisory is given an identification number, which begins with the letters ICSA or—for vulnerabilities related to medical equipment—ICSMA. This helps the healthcare industry readily identify CISA advisories that apply to medical devices, and it also sheds light on how few medical device manufacturers have issued coordinated vulnerability disclosures with CISA in the last year. Although there are thousands of medical device manufacturers in the U.S., only eleven companies reported ICSMA vulnerabilities to the agency in 2020, according to the agency’s ICS-CERT Advisories list.