In any other industry, security and IT teams that recognize IoT device vulnerabilities, exploits, or open attack paths can simply remove those devices from their networks. Within healthcare delivery organizations (HDOs), this isn’t always possible. Patient care takes priority, and deservedly so. Internet of Medical Things (IoMT) devices and equipment provide crucial functionality, from health diagnostics and monitoring to other essential—and potentially life-saving—services. Security teams face the critical task of ensuring safeguards can still protect those devices from breaches. Failure to do so risks severe penalties from financial, legal, and regulatory compliance perspectives. Worse, it can put patients’ lives at risk.
To quickly put the scale of this challenge in perspective, consider Tufts Medicine, a hospital system with 116 hospital beds and more than 21,000 active IoMT devices. Due to the essential nature of IoMT functionality, devices see long-term use and fleets are heterogeneous. Tufts’ security team is tasked with protecting thousands of different IoMT device models from hundreds of different manufacturers, many of which are operational, and include older devices whose manufacturers do not provide regular cybersecurity updates.
At the same time, findings from the FBI Cyber Division warn that the average IoMT device has 6.2 vulnerabilities[i] (and 53% of devices have active critical vulnerabilities). Unfortunately, most security teams working to address those myriad risks can only remediate 5-20% of known vulnerabilities each month[ii]. Meanwhile, new vulnerabilities are discovered constantly.
HDO security and IT teams face tens or even hundreds of thousands of device vulnerabilities that may be ripe for intrusion, but have limited resources to address them. Given the difficulty of this challenge, the ability to accurately and efficiently prioritize vulnerabilities by risk is the only path to effective IoMT security.
Understanding the EPSS framework
The non-profit Forum of Incident Response and Security Teams (FIRST)[iii] operates two highly-valuable frameworks. While HDO security teams are responsible for addressing thousands of vulnerabilities, attackers are most likely to utilize only a fraction of the most opportune exploits available to them. Understanding how to best take advantage of the FIRST frameworks enables HDOs to prioritize vulnerabilities that are most dangerous and carry the biggest practical risk of exploitation.
The initial FIRST framework is the Common Vulnerability Scoring System (CVSS)[iv], a widely-used service that formally analyzes the technical characteristics of a vulnerability and provides a score (0-10) representing its severity. This scoring warns security teams of the worst-case impact they can expect from a particular vulnerability, based on its intrinsic characteristics and analyst and vendor findings.
The second and newer FIRST framework, and the one I’ll focus on, is the Exploit Prediction Scoring System (EPSS)[v]. This framework goes a major step further by assessing the practical likelihood of attackers exploiting a vulnerability. EPSS effectively tells HDO security teams exactly which vulnerabilities to target for remediation with their finite time and resources.
EPSS offers two core metrics. The EPSS probability score indicates the estimated percentage chance that attackers will exploit a vulnerability within the next 30 days. EPSS also helps put that probability into perspective with a percentile score, indicating where the vulnerability’s risk of exploitation ranks among all scored vulnerabilities.
How EPSS works
EPSS is a predictive analytics model that weighs available technical information, vulnerability data, and threat intelligence to produce and update scoring. EPSS uses data from MITRE’s CVE List, CVSS base scores published in the National Vulnerability Database (NVD), and vendor information available in the NVD. To recognize attacker exploit intent and activity, EPSS leverages open source threat intelligence including: published exploit code in Metasploit, ExploitDB, and GitHub; public data from security scanners Jaeles, Intrigue, Nuclei, and sn1per; and observations by AlienVault and Fortinet.
How to Think About EPSS
The IoMT threat landscape shifts rapidly. Attackers develop new approaches, new exploit kits become available, and different vulnerabilities simply fall in and out of focus. HDO security teams must dynamically adjust their prioritizations accordingly to optimize their limited time and budget.
EPSS offers a helpful start in shaping a clear data-driven strategy for maximizing IoMT security efficiency. That said, EPSS was created with threats to traditional network devices in mind, and there are limitations for security teams tasked with protecting IoMT devices. For this reason, EPSS should serve as just one component of a comprehensive strategy in IoMT security deployments, not as a standalone plan. EPSS does not—and cannot—give a single score that represents the risk faced by a specific device with a particular configuration deployed in a specific network topology. All of which influence the true risk faced by a user.
Teams should adopt a standardized cybersecurity framework, such as NIST[vi], to ensure they have proven measures in place for identifying and mitigating risk on all fronts. Security teams should also utilize a passive scanner to detect and inventory IoMT devices continuously in real-time, assess vulnerabilities and risks, and identify anomalous behavior the moment it begins. However, EPSS’ future-looking approach has been a welcome addition to the cybersecurity data available to defenders worldwide.
Within this comprehensive approach, security teams can utilize EPSS and CVSS as part of their internal risk assessments, weighing the probabilities that attackers will target specific vulnerabilities and the potential impact of such attacks on data and patient care. Teams should also assess their device fleets through an EPSS lens to examine how many of their devices feature particular vulnerabilities, and include the goal of securing as many devices as possible in their prioritization strategies.
In combination with EPSS and CVSS scoring data, security teams should also assess how security controls can prevent vulnerability exploits. For example, security teams might put IoMT devices on separate virtual local area networks (VLANs), add firewalls to separate IoMT VLANs from IT VLANs, and disable device functionality that contributes to risk.
Security teams cannot possibly secure the many thousands of IoMT vulnerabilities present within device fleets. By enabling risk prioritization as a key component of a comprehensive IoMT security strategy, however, security teams can be sure they’re securing the vulnerabilities that count the most.
References:
[i] “Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities,” Federal Bureau of Investigation, September 12, 2022, https://www.ic3.gov/Media/News/2022/220912.pdf
[ii] “The EPSS Model,” FIRST, https://www.first.org/epss/model
[iii] “Exploit Prediction Scoring System,” FIRST, https://www.first.org/epss/
[iv] “Common Vulnerability Scoring System SIG,” FIRST, https://www.first.org/cvss/
[v] “Exploit Prediction Scoring System,” FIRST, https://www.first.org/epss/
[vi] “NIST Cybersecurity Framework, NIST, https://www.nist.gov/cyberframework