NEWS UPDATE: CORL Analysis Flags Medical Device Vendors for Lax Security Standards

ATLANTA – June 2017 The WannaCry ransomware attack infected various medical devices in the United States according to several news sources.  This comes as no surprise to CORL Technologies (CORL), which analyzes the security practices of approximately 30,000 health industry vendors. CORL’s analysis reveals that vendors identified as being in the medical device industry sector were consistently associated with weak information security postures.

  • 57% do not have security leaders,
  • 89% do not have security certifications,
  • 18% do not have privacy policies, and
  • 7% had a breach in last 5 years.

71% of medical device vendors received a “D” report card grade, and, of those, 93% do not have security certifications.  To be graded a “D” vendors lack any evidence of a security program led by competent leadership or the organization failed technical security tests.  These vendors are unlikely to protect sensitive information or develop products with appropriate security controls.

CORL further analyzed medical device vendors who have been through CORL’s vendor security risk management assessment process and are classified as a “High Risk.”  Analysis demonstrated that these vendors all had similar risks related to the following control areas:

  1. System Acquisition – Limited or informal processes to build security requirements into system development, implementation and engineering functions.
  2. Vendor Oversight – Limited or informal vendor security risk management functions to protect against supply chain threats.
  3. Configuration Management – Limited or informal processes and tools in place to ensure the secure configuration of solutions.
  4. Maintenance & Diagnostics – Limited ability to provide remote support capabilities in a secure manner.
  5. Access Controls – Limited ability to restrict access, use roles and granular permissions, and no remote access authorization prior to connecting.
  6. Physical Security – Inconsistent screenings of workforce members upon hiring and very limited re-screening of individuals with access to customer data.

CORL recommends clients require medical device vendors to align with industry leading security standards, and get a 3rd party security certification.  Medical device vendors must also adopt secure development and engineering processes that ensure that security is designed up front into products and verifies that these requirements are met before solutions are delivered to customers.  

A CORL client speaks to factoring vendor certification into their buying decisions:

“We impose contract obligations with our Business Associates (BAs) to keep our data secure, and certifications are an indicator.  We can’t yet make certification a contractual requirement yet, but there is definitely a shift happening in industry, and we use CORL to engage our vendors and push certifications and risk remediation activities.”

According to the whitepaper released by Meditology titled Hijacking Your Life Support: Medical Device Security, “The lack of historical focus on building security requirements into medical devices has led to these devices becoming one of the weakest links in the chain for securing healthcare networks and systems. Medical devices have become a gateway to a healthcare organization’s domain, opening the door to a trove of patient health information and regulated data.”

The CORL vendor risk assessment methodology leverages questions about overall security controls at the vendor level and product level across all NIST control areas and mapping to NIST SP800-53, HIPAA, and HITRUST.  As part of the assessment process, CORL requires all their client’s vendors to provide current and documented evidence that security controls are in place.  A 3rd party security certification in lieu of evidence.  Relevant security certifications according to CORL’s methodology include SOC 2 Type 2 (must include Security TSP), HITRUST and/or ISO 27001: 2013.  CORL is SOC 2 Type 2 certified.