For healthcare delivery organizations (HDOs), a security incident poses more than a financial, compliance, and legal risk; it impacts patient care that poses a risk to human life. During a ransomware attack, the HDO’s security and IT teams must take systems offline during containment and recovery. However, taking diagnostic and therapeutic medical devices offline can lead to misdiagnosis and improper or unsafe treatment. For example, taking a ventilator offline while responding to a ransomware attack can lead to a patient’s death.
Often, attackers infiltrate systems by exploiting security vulnerabilities, the weaknesses in information systems at the technical or procedural level. Today, health technology management (HTM) teams are critical to their HDO’s cybersecurity program, yet many struggle to efficiently and effectively identify vulnerabilities and prioritize mitigation efforts. Internet of Medical Things (IoMT) devices often rely on operating systems their manufacturers no longer support. Meanwhile, with an average of 6.2 vulnerabilities per medical device, HTM teams struggle as their organization adds more IoMT devices.
To prioritize their remediation activities, HTM and Security teams need visibility into whether attackers can use a vulnerability to achieve their objectives. By understanding how the Exploit Prediction Scoring System works and its limitations, teams can use it to help remediate IoMT more efficiently.
What is the Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) communicates a vulnerability’s characteristics and severity by reviewing its technical characteristics.
When discussing the CVSS score, most people mean the Base metrics that range from 0.0 (least severe) to 10.0 (most severe). FIRST, the non-profit that owns and operates the CVSS framework, explains that the Base metrics are the intrinsic characteristics that remain constant over time while assuming a reasonable worst-case impact across various environments, typically identified by analysts and vendors.
What is the Exploit Prediction Scoring System (EPSS)
The Exploit Prediction Scoring System (EPSS) measures the threat that a vulnerability poses by combining technical information with data from the Common Vulnerabilities and Exposures (CVE) list and known attacker behaviors.
The EPSS provides:
- Probability: the overall likelihood that attackers will exploit the vulnerability within the next 30 days
- Percentiles: the context about the relative or localized threat to communicate rank ordering
The EPSS calculates a probability score between 0 and 1 (0% and 100%) so that teams responsible for vulnerability remediation can focus on the ones that attackers are more likely to exploit.
What problem is EPSS solving?
Every year, security researchers publish more vulnerabilities. In January 2022, one cybersecurity firm found that 53% of hospitals’ connected medical devices and Internet of Things (IoT) devices had known critical vulnerabilities. Remediating vulnerabilities for all medical, IoT, and traditional devices is a Sysphean task, with research noting that most firms can only fix between 5% and 20% of known vulnerabilities per month.
However, a vulnerability poses a more significant threat when attackers are exploiting it. That can change regularly – exploit kits get written, attackers discover new techniques, and some vulnerabilities just rise and fall in infosec news cycles. EPSS offers insight into whether threat actors will likely use the vulnerability within the next 30 days, giving HTM and IT teams a way to prioritize their activities. By focusing on the vulnerabilities that attackers are most likely to exploit, these overworked, understaffed teams can enhance security and improve efficiency.
What data does EPSS use?
As a predictive analytics model, the EPSS ingests data from various resources and weights data types differently.
At the technical level, the EPSS uses the following data:
- MITRE’s CVE List, including text-based “Tags” from the description, days since published, and references listed
- Base score from the CVSS vectors as published in the National Vulnerability Database (NVD)
- Technology vendor information in NVD
As a predictive model, the EPSS needs information that shows intent to exploit a vulnerability, collecting the following open-source intelligence:
- Published exploit code in Metasploit, ExploitDB, and/or GitHub
- Publicly available security scanners Jaeles, Intrigue, Nuclei, and sn1per
- Observations about real-world exploit activity from AlienVault and Fortinet
What are the benefits of EPSS for loMT?
Prioritizing remediation activities is critical for overworked IT and HTM teams, especially considering that a 1,116-bed hospital can have at least 21,000 connected devices made up of several thousand models and hundreds of manufacturers. Assuming that each device contains at least 6 vulnerabilities, the IT and HTM teams would need to remediate up to 126,000 total vulnerabilities, only to start all over the next time researchers publish a vulnerability affecting their fleet. With EPSS, HTM and IT teams can make data-driven prioritization decisions focused on protecting against the most likely threats, the vulnerabilities that attackers will most likely exploit in the future.
With limited staff, HTM teams need to allocate time efficiently. Using the EPSS with their internal risk assessment, these teams can make decisions by combining the following:
- The probability that attackers will exploit a vulnerability
- A potential attack’s impact on patient care and data
For HDOs, remediating as many vulnerabilities as possible is just as important as allocating resources efficiently. Using the EPSS with their asset inventory, these teams can make decisions by combining the following:
- The probability that attackers will exploit a vulnerability
- The number of devices containing the vulnerability
What are the limitations of EPSS for loMT?
While EPSS provides value, it’s not a cure-all for HTM team problems. To understand a vulnerability’s potential impact on its environment, HTM teams should combine the CVSS and EPSS scores. However, they should also consider how their compensating controls impact an attacker’s ability to exploit a vulnerability.
As a general resource, EPSS says attackers are likely to exploit a vulnerability rather than looking at a device in the context of its environment and saying, “This device is likely to be exploited.” The HDO’s environment may include security controls preventing exploitation, like:
- Placing IoMT on separate virtual local area networks (VLANs)
- Placing firewalls between the IoMT VLANs and IT VLANs
- Removing or disabling specific device functionalities
Device Service Interruption
Typically, active network scanners incorporate CVSS and EPSS to help IT teams prioritize their remediation activities. However, these active scanners can accidentally take devices offline because, by nature, they test exploits on them. These activities that disrupt device service can undermine patient care.
HDOs need passive scanners to detect vulnerabilities and evaluate risk while patients use them.
Inability to Apply Patch
In many cases, manufacturers no longer provide security updates that address operating system and software vulnerabilities for older medical devices, especially those used by radiology departments. HDOs implement compensating controls that respond to their inability to update operating systems or software. However, most network scanners that use the EPSS and CVSS scores will still trigger alerts.
Asimily: Bringing loMT Context to Prioritization
Asimily provides holistic context into an HDO’s environment when calculating Likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so you can more appropriately prioritize remediation activities.
HDOs efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS, Manufacturer Disclosure Statements for Medical Device Security (MDS2s), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.
Asimily clients are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s clinically validated recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions.
Schedule a consultation with an Asimily expert to see how you can efficiently prioritize and remediate vulnerabilities with the leading loMT risk management platform.