Summary: The healthcare industry faces challenges in securing Internet of Medical Things (IoMT) devices due to their crucial role in patient care. The Exploit Prediction Scoring System (EPSS) framework helps prioritize vulnerabilities by assessing the likelihood of exploitation, enabling security teams to focus on the most significant risks.

Key Takeaways:

  • IoMT devices often have numerous vulnerabilities, making it impossible to secure them all.
  • EPSS and CVSS frameworks aid security teams in prioritizing vulnerabilities based on risk and impact.
  • Comprehensive security strategies must incorporate frameworks, network segmentation, and continuous monitoring for effective IoMT device protection.
By Shankar Somasundaram

In any other industry, security and IT teams that recognize IoT device vulnerabilities, exploits, or open attack paths can simply remove those devices from their networks. Within healthcare delivery organizations (HDOs), this isn’t always possible. Patient care takes priority, and deservedly so.

Internet of Medical Things (IoMT) devices and equipment provide crucial functionality, from health diagnostics and monitoring to other essential—and potentially life-saving—services. Security teams face the critical task of ensuring safeguards can still protect those devices from breaches. Failure to do so risks severe penalties from financial, legal, and regulatory compliance perspectives. Worse, it can put patients’ lives at risk.

The Scale of the Problem

To quickly put the scale of this challenge in perspective, consider MemorialCare, a hospital system with 1,100+ hospital beds and more than 52,000 active IoMT devices. Due to the essential nature of IoMT functionality, devices see long-term use and fleets are heterogeneous. Tufts’ security team is tasked with protecting thousands of different IoMT device models from hundreds of different manufacturers, many of which are operational, but older devices whose manufacturers do not provide regular cybersecurity updates.

Widespread Vulnerabilities in IoMT Devices

At the same time, findings from the FBI Cyber Division warn that the average IoMT device has 6.2 vulnerabilities (and 53% of devices have active critical vulnerabilities). Unfortunately, most security teams working to address those myriad risks can only remediate 5-20% of known vulnerabilities each month. Meanwhile, new vulnerabilities are discovered constantly.

HDO security and IT teams face tens or even hundreds of thousands of device vulnerabilities that may be ripe for intrusion, but have limited resources to address them. Given the difficulty of this challenge, the ability to accurately and efficiently prioritize vulnerabilities by risk is the only path to effective IoMT security.

Understanding the EPSS Framework

The non-profit Forum of Incident Response and Security Teams (FIRST) operates two highly-valuable frameworks. While HDO security teams are responsible for addressing thousands of vulnerabilities, attackers are most likely to utilize only a fraction of the most opportune exploits available to them. Understanding how to best take advantage of the FIRST frameworks enables HDOs to prioritize vulnerabilities that are most dangerous and carry the biggest practical risk of exploitation.

The initial FIRST framework is the Common Vulnerability Scoring System (CVSS), a widely-used service that formally analyzes the technical characteristics of a vulnerability and provides a score (0-10) representing its severity. This scoring warns security teams of the worst-case impact they can expect from a particular vulnerability, based on its intrinsic characteristics and analyst and vendor findings.

Exploit Prediction Scoring System (EPSS)

The second and newer FIRST framework, and the one I’ll focus more on, is the Exploit Prediction Scoring System (EPSS). This framework goes a major step further by assessing the practical likelihood of attackers exploiting a vulnerability. EPSS effectively tells HDO security teams exactly which vulnerabilities to target for remediation with their finite time and resources.

EPSS offers two core metrics. The EPSS probability score indicates the estimated percentage chance that attackers will exploit a vulnerability within the next 30 days. EPSS also helps put that probability into perspective with a percentile score, indicating where the vulnerability’s risk of exploitation ranks among all scored vulnerabilities.

How EPSS Works

EPSS is a predictive analytics model that weighs available technical information, vulnerability data, and threat intelligence to produce and update scoring. EPSS uses data from MITRE’s CVE List, CVSS base scores published in the National Vulnerability Database (NVD), and vendor information available in the NVD. To recognize attacker exploit intent and activity, EPSS leverages open source threat intelligence including: published exploit code in Metasploit, ExploitDB, and GitHub; public data from security scanners Jaeles, Intrigue, Nuclei, and sn1per; and observations by AlienVault and Fortinet.

How HDO Security Teams Can Think About EPSS

The IoMT threat landscape shifts particularly rapidly. Attackers develop new approaches, new exploit kits become available, and different vulnerabilities simply fall in and out of focus. HDO security teams must dynamically adjust their prioritizations accordingly to optimize their limited time and budget.

EPSS offers a helpful start in shaping a clear data-driven strategy for maximizing IoMT security efficiency. That said, EPSS was created with threats to traditional network devices in mind, and there are limitations for security teams tasked with protecting IoMT devices. For this reason, EPSS should serve as just one component of a comprehensive strategy in IoMT security deployments, not as a standalone plan. EPSS does not—and cannot—give a single score that represents the risk faced by a specific device with a particular configuration deployed in a specific network topology. All of these influence the true risk faced by a user.

Further, teams should adopt a standardized cybersecurity framework, such as NIST, to ensure they have proven measures in place for identifying and mitigating risk on all fronts. Security teams should also utilize a passive scanner to detect and inventory IoMT devices continuously in real-time, assess vulnerabilities and risks, and identify anomalous behavior the moment it begins. However, EPSS’ future-looking approach has been a welcome addition to the cybersecurity data available to defenders worldwide.

Risk Assessments and Security Strategies

Within this comprehensive approach, security teams can utilize EPSS and CVSS as part of their internal risk assessments, weighing the probabilities that attackers will target specific vulnerabilities and the potential impact of such attacks on data and patient care. Teams should also assess their device fleets through an EPSS lens to examine how many of their devices feature particular vulnerabilities, and include the goal of securing as many devices as possible in their prioritization strategies.

Enhancing IoMT Security with Controls and Network Management

In combination with EPSS and CVSS scoring data, security teams should also assess how security controls can prevent vulnerability exploits. For example, security teams might put IoMT devices on separate virtual local area networks (VLANs), add firewalls to separate IoMT VLANs from IT VLANs, and disable device functionality that contributes to risk.

IoMT Security Success Demands Prioritization

Security teams cannot possibly secure the many thousands of IoMT vulnerabilities present within device fleets. By enabling risk prioritization as a key component of a comprehensive IoMT security strategy, however, security teams can be sure they’re securing the vulnerabilities that count the most.

Shankar Somasundaram is the CEO of Asimily. Questions and comments can be directed to [email protected].