Medtech Cybersecurity: 6 Elements Of An Effective Responsible Disclosure Policy

By Stephanie Domas, Battelle

What does responsible disclosure mean for the medical device industry? Manufacturers of connected devices will soon find out.

Earlier this year, the FDA released its guidance Postmarket Management of Cybersecurity in Medical Devices, which strongly recommends adoption of a corporate responsible disclosure policy as a security practice for all manufacturers. Here’s what you need to know to be prepared for the new guidelines.

What Is Responsible Disclosure?

Responsible disclosure policies have long been common in the software industry. In a nutshell, a responsible disclosure policy tells cybersecurity researchers and “white hat” hackers that, if they find a cybersecurity vulnerability in your device, they can tell you about it without fear of legal reprisals.

Why should you let anyone get away with trying to reverse engineer your device? Encouraging hacking may sound like a bad idea but, in actuality, it allows your company to benefit from the expertise of professional researchers and curious amateurs who are devoting time to increase the security of the entire industry. These dedicated outsiders sometimes find code or hardware vulnerabilities that your internal team has missed. This service has proven so valuable in the software industry that companies like Google and Facebook actually pay a “bug bounty” to hackers or researchers who report a previously unidentified problem with their code.

Responsible disclosure policies also give you more control over the information flow in the event a security vulnerability is discovered. Most discoverers are well meaning, and in the medical device world especially, many of them are professional security researchers. A responsible disclosure policy lets them know that you will investigate their report and take action if needed. Frustrated researchers who encounter a hostile or impenetrable organization when they try to a report a vulnerability that puts patients or data at risk are likely to make a much more public announcement instead. 

Now, responsible disclosure is coming to the medical device industry. In August 2015, the FDA updated its recognized consensus standards to include two standards related to responsible disclosure — ISO/IEC 29147 and ISO/IEC 30111 — emphasizing the issue’s importance for medical device manufacturers. ISO/IEC 29147 relates to setting up the disclosure process. ISO/IEC 30111 involves internal processes for responding to vulnerabilities once they are known.

More Than A Website And An Email Address

Many medical device companies have already started to think about responsible disclosure. Some have even posted disclosure instructions on their website, which is a good first step. But a true responsible disclosure policy requires much more than a link on your website for potential reporters. An effective responsible disclosure policy has several elements:

1. A public statement of your disclosure policy, located where potential reporters can find it. Your policy should include clear instructions for how to report a vulnerability, plus any guidelines you want reporters to follow in classifying or describing the vulnerability. You may or may not want to include a reward program; while these are common in the software industry, it is not yet an expectation in the medical device cybersecurity community. For examples of public vulnerability disclosure statements, check out the Google Vulnerability Reward Program, Sony’s secure@sony program, and Apple’s security policy. Some companies, like Snapchat and ToyTalk (the company that provides the brains to Hello Barbie), are proactively engaging with the cybersecurity research community through organizations like HackerOne, a centralized vulnerability management and bug bounty platform sponsored by Facebook, Microsoft, and Google.
2. Established internal processes for how disclosures will be addressed when they are received. This is the area where many companies’ disclosure policies start to break down. Your policy needs to clearly define who is responsible for monitoring your disclosure email address or web form, who will respond to the reporter, and what form that response will take. How will you engage with the reporter once you have received the report? You also need to define your internal communication processes. How will sensitive information be routed through the organization? Who must see the initial report, and who else is allowed to see the report? Who is ultimately responsible for evaluating and escalating the issue?
3. A system for evaluation of the potential threats and consequences. Does the vulnerability present an immediate danger to patient health or safety? Does it expose patient data? Does it allow hackers to break into hospital networks? What is the likelihood that others will find and exploit the vulnerability? Understanding the potential risks is critical in order to determine the appropriate response. Some vulnerabilities have few, if any, significant consequences, and may not require immediate action. Others may be serious enough to warrant an immediate recall. A systematic approach to threat assessment and risk evaluation can make these decisions easier.
4. A mitigation strategy. Once a vulnerability has been exposed and the risks assessed, you will need to determine what to do next. Can the software be fixed with a patch? Is there a physical fix that needs to happen on the device itself? Make sure you have a clear policy on how these decisions will be evaluated and made, and who is ultimately responsible for implementing any necessary remedy.
5. Guidelines for external communications. Some types of vulnerabilities may present you with a legal — or at least ethical — obligation to communicate the findings with customers and/or end users. In other cases, making the vulnerability public may actually increase risks. How will your company make these communication decisions, and who is responsible? Your communication guidelines for device safety may give you a good framework for developing your security communication guidelines.
6. An internal commitment to the principles of responsible disclosure. That commitment means that everyone, from the engineers to the legal department, understands and buys into the idea that well-meaning disclosers will not be prosecuted for reverse engineering or hacking your device.

Staying Ahead Of Cybersecurity Guidelines

As medical devices become ever more connected, we can expect that cybersecurity issues will continue to be on the FDA’s radar. Following these steps should help to put you ahead of the game as guidelines and regulations evolve.

If you don’t have cybersecurity expertise in house, it’s a prudent step to engage outside help when developing your responsible disclosure policy. Cybersecurity experts, including Battelle, can help you develop a clear framework for evaluating risks and developing mitigation strategies. They can also share best practices for responsible disclosure.

With FDA guidelines published, now is the time to start evaluating your cybersecurity policies and processes. It’s the responsible thing to do.

About the Author

Stephanie Preston-Domas is lead security engineer for Battelle DeviceSecure Services. She has expertise in firmware reverse engineering (x86, x86_64, MIPS, 8051), penetration testing and application fuzzing, as well as application development (C/C++). Preston contributed to the IEEE guidelines for security in medical device software development and production, a step toward industry standards that will systematically secure medical devices. She is a registered professional engineer (PE) in the state of Ohio and a certified ethical hacker (CEH). She has been published and widely quoted on medical cybersecurity topics and has spoken at events for MassMEDIC, Neurotech Leaders Forum, and AdvaMed. She also serves as an adjunct faculty member at the Ohio State University College of Computer Engineering.