The U.S. government’s policy for disclosing freshly discovered software vulnerabilities effectively sidelines a small but vital slice of the global IT ecosystem, critics charge — flaws in the computer programs that run medical devices, hospital equipment and digital health records systems.
The Vulnerabilities Equities Process (VEP) sets out how the government decides whether to secretly retain a new vulnerability — called a zero-day — for use in spying operations, or disclose it to the manufacturer so the software can be fixed or patched. The process’s details were released Wednesday by the White House.
The Equities Review Board, the body which discusses vulnerabilities and makes decisions under the VEP, is made up of representatives from 10 federal agencies and departments, including the Department of Defense, Department of Homeland Security and the Office of the Director of National Intelligence.
But there’s no representative from the Department of Health and Human Services. When asked about the omission, White House Cybersecurity Coordinator Rob Joyce said “Health equities are part of the discussion,” but in effect, the line had to be drawn somewhere.
“It really comes down to the ability to have cleared individuals with [the right] background to participate,” he said. “As you expand any group, as the numbers increase it gets less and less effective, so we had to make a decision” about who to exclude.
Experts believe that the decision to exclude the healthcare sector was misguided.
“The VEP needs a stakeholder from [the Health and Human Services Department, or] HHS,” said Josh Corman co-founder of I am the Cavalry, a grassroots organization that is focused on issues where computer security intersects public safety and human life. Corman was one of the authors of a congressionally chartered task force report earlier this year on healthcare sector cybersecurity.
“There are non-obvious dependencies in medical devices, medical operational networks and electronic health records systems,” which means they may not be visible to a non-specialist considering a software flaw’s impact, said Corman. He gave as an example: BusyBox, an open-source software tool used for embedded systems in Internet of Things devices.
Officials weighing the impact of a vulnerability in BusyBox might assess “It’s just for IoT consumer devices,” added Corman. “They might not know it is used in bedside infusion pumps and medical imaging systems … as well as other safety-critical industries.” He added that this was just one of hundreds of possible examples. “There are no standards about which software is fit for purpose in safety critical environments like medical devices or hospital IT networks,” so pretty much any kind of software might turn up there, he said.
Corman, who said he generally welcomed the process, told CyberScoop the health care task force had recommended the appointment of a “cyber safety czar” in HHS, who would be “a key stakeholder” in the VEP.
Other experts have advocated that other specialty equities should be represented.
“What about the Department of Transportation?” asked threat intelligence specialist John Bambenek, noting that the software used in autonomous cars was no more immune from zero-days than any other internet-connected computer.
Asked about the issue of vulnerabilities in medical equipment, Michelle Richardson, deputy director of the Center for Democracy and Technology’s Freedom, Security, and Technology Project, pointed out that the charter states: “Other [federal] agencies may participate [in Equities Review Board discussions] when demonstrating responsibility for, or identifying equity in, a vulnerability under deliberation.”
“A good faith reading of that [passage] would require the presence of HHS officials in the room” anytime a vulnerability that impacts medical devices is up for a VEP decision, she said.
But the whole point, Corman pointed out, is that — to the non-specialist — it wouldn’t necessarily be apparent that there were medical device or other health care equities at stake in a discussion of a particular vulnerability.
“I totally get that you have to draw the line somewhere,” he said, “I would just respectfully suggest they are drawing it in the wrong place.”
Joyce rolled out the unclassified VEP charter at a Washington, D.C., event Wednesday, saying it heralded a new era of transparency about the process, the existence of which the government first made public in 2014. Much of the VEP’s details had been classified until this week.