Cyberattacks are on the rise, including in healthcare. Cyberattacks in U.S. healthcare rose more than 55% in 2020, reported CPO Magazine, a publication focusing on cybersecurity, data protection, and privacy.

Medical device companies can help healthcare stakeholders manage the risks of such attacks by identifying potential system vulnerabilities and discussing protection strategies. To promote cybersecurity, BD (Becton, Dickinson and Company) recently became the first medical technology company authorized as a Common Vulnerability and Exposures (CVE) Numbering Authority by the CVE Program. MD+DI asked Rob Suárez, Chief Information Security Officer for BD, a few questions about CVE numbering and why cybersecurity is important today.  

Suárez is a cybersecurity and privacy professional in the medical device and healthcare IT industry. At BD, he serves as chief information security officer and oversees cybersecurity across the company’s enterprise, IT, and manufacturing systems. Suárez currently chairs the Cybersecurity Steering Committee for the Medical Device Innovation Consortium and the Cybersecurity Working Group for AdvaMed. He was also one of three leaders to co-chair the public-private Healthcare and Public Health Sector Coordinating Council (HSCC) Med Tech Cybersecurity Risk Management Task Group, which issued the seminal Medical Device and Healthcare Information Technology Joint Security Plan (JSP) in 2019.

Is cybersecurity an increasing concern for medical device companies, and if so, why?

Suárez: Absolutely. BD is advancing the world of health by improving medical discovery, diagnostics, and the delivery of care and has been instrumental in the fight against COVID-19. We believe there’s a patient at the end of everything we do, so we integrate cybersecurity into each phase of our product lifecycle, from R&D through supporting our products in use. In today’s world, healthcare is the number one target for many cybercriminals. With COVID-19, cyberattacks in the healthcare industry increased at an unprecedented rate, with threat actors using more sophisticated techniques, from phishing attacks to ransomware. Our job is not just protecting systems and data—it’s also protecting patient safety and privacy.

We understand that BD was among the first medical technology companies to develop a mature Coordinated Vulnerability Disclosure program and that in 2020, the company launched the BD Cybersecurity Trust Center. Why is BD taking such a proactive stance for cybersecurity? 

Suárez: For BD, being transparent about potential vulnerabilities is essential because customers can’t protect what they don’t know. We launched the BD Cybersecurity Trust Center to proactively give customers a single source for BD cybersecurity content. When cybersecurity vulnerabilities emerge, whether in our products or in third-party components, we provide guidance so customers can manage potential risk properly.

How do medical software developers typically handle Common Vulnerability and Exposures (CVE) Numbering, and why is becoming CVE Numbering Authority (CNA) important for BD?

Suárez: We work closely with the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) and the U.S. Food and Drug Administration (FDA) to coordinate vulnerability disclosures and enhance awareness. Prior to becoming a CVE Numbering Authority, CISA Industrial Control Systems (ICS) would assign CVE identification numbers to vulnerabilities in BD products. As a CVE Numbering Authority, BD now has the authority to use the Common Weakness Enumeration (CWE) system to classify vulnerability types. In addition, we will continue to apply the Common Vulnerability Scoring System (CVSS) to communicate vulnerability characteristics and severity for BD software-enabled products. Further, when issuing coordinated disclosures, we will continue to work closely with CISA and FDA for alignment and transparency before publishing the information on the BD Cybersecurity Trust Center and sharing it with organizations like the Health and Information Sharing Analysis Center (H-ISAC). Becoming a CVE Numbering Authority demonstrates BD’s commitment to cybersecurity in medical devices and shows the industry’s trust and confidence in BD cybersecurity practices. In addition, this recognition provides independent verification of our CVD processes, offering additional reassurance to customers that BD comprehensively and expeditiously communicates vulnerabilities.

What cybersecurity advice does BD have for other medical device companies?

Suárez: As medical device manufacturers, we have an essential role in protecting the infrastructure of healthcare around the world. To ensure our products are used safely and securely, we need to be proactive in sharing information about the latest emerging threats, new vulnerabilities in our technologies, and what our stakeholders can do to protect themselves. That’s why we need to take the stigma out of talking about vulnerabilities, so customers can have the information they need to manage risk properly through awareness and guidance.

Can you share a few important points from your inaugural cybersecurity annual report?

Suárez: BD is committed to doing what is right as we continue our journey toward advancing cybersecurity in the healthcare industry. We publish an annual cybersecurity report to update stakeholders about our cybersecurity practices and our engagement with cybersecurity working groups in healthcare. New cybersecurity threats emerge daily, and across the industry we’ve seen increased threat activity related to remote work, software supply chain vulnerabilities, and increased ransomware attacks. To protect customers and patients, we have to create a community of practice, where we’re all working together to advance cybersecurity maturity. It’s also important for healthcare providers to know which initiatives to look for and prioritize when entrusting a medical device manufacturer with patient safety and patient privacy. From mature policies and standards to strong vulnerability and incident management processes and third-party validations, we aim to partner with customers to advance medical device cybersecurity.