The entire healthcare industry is on a journey to continuously improve cybersecurity. In the United States, The Consolidated Appropriations Act, 2023 (“Omnibus”) took effect March 29, 2023, granting the U.S. Food and Drug Administration (FDA) the formal authority to ensure that medical devices brought to market meet certain cybersecurity requirements. These requirements include having a plan for monitoring, identifying, disclosing and addressing post-market cybersecurity vulnerabilities; having processes and procedures in place for providing product cybersecurity information, including updates and patches; and providing a software bill of materials (SBOM).1 While these requirements apply to new pre-market submissions, they reflect the need for increased transparency across the industry.
At BD, our software development life cycle follows the BD Cybersecurity Framework and includes cybersecurity testing, code analysis and system hardening. However, designing products to be secure is only part of the solution. Cyberattacks are more coordinated and sophisticated than ever, and healthcare providers cannot protect patients from emerging vulnerabilities they do not know about. That is why every medical device manufacturer needs to establish a mature coordinated vulnerability disclosure program.
While BD welcomes vulnerability reports from customers, security researchers and third-party component vendors, it is more common for our internal teams to discover vulnerabilities associated with BD products. We use multiple methods, including vulnerability scanning, threat modeling and penetration testing, to uncover potential risks and vulnerabilities during the design process and throughout the software development life cycle. When new vulnerabilities are discovered, we issue coordinated vulnerability disclosures to empower our customers with information to help them guard against emerging cybersecurity threats—because transparency is a force multiplier. The more healthcare providers know about what types of attacks are possible, the more they can effectively prioritize risk mitigation.
BD was the first MedTech company to be authorized as a Common Vulnerabilities and Exposures (CVE®) Numbering Authority. When we uncover a new vulnerability in a BD product, we voluntarily report it to the FDA and the Cybersecurity and Infrastructure Security Agency (CISA). We also collaborate with CISA to prepare tandem coordinated vulnerability disclosures, which are then published to the BD Cybersecurity Trust Center and the CISA Cybersecurity Alerts and Advisories page. In the last five years, BD has published 16 coordinated vulnerability disclosures with CISA and 52 bulletins about vulnerabilities in third-party components not unique to BD products. We maintain this practice to maximize awareness of newly discovered vulnerabilities, as well as mitigations and compensating controls that can help BD customers reduce cybersecurity risks. We also share vulnerability disclosures with the Health Information Sharing and Analysis Center (H-ISAC). As vulnerabilities are remediated, we update the bulletins and our Product Security White Papers to share that information.
Threat actors are constantly trying to find new ways to exploit vulnerabilities in software-enabled devices. That is why transparency and collaboration are essential, especially in healthcare where cybersecurity can impact patient safety and privacy. Vulnerability disclosure is a sign of maturity and sophistication in an organization’s cybersecurity practices. It is also an expectation of customers, patients and regulators. BD has a history of paving new roads in healthcare, and we are proud to have led the way with coordinated vulnerability disclosures, helping customers manage potential cybersecurity risks through awareness and guidance.
1 Cybersecurity in Medical Devices Frequently Asked Questions (FAQs). U.S. Food and Drug Administration (FDA). https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity-medical-devices-frequently-asked-questions-faqs. Published on March 29, 2023. Accessed on May 4, 2023.