Health-ISAC Hacking Healthcare 3-9-2023

This week, Hacking Healthcare takes a longer look at coordinated vulnerability disclosure. We break down a new vulnerability disclosure legal framework that has been introduced by Belgium, analyze its benefits and potential shortcomings, and then end with a few recommendations for how all this applies to the healthcare sector.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version:
TLP WHITE - 3.9.2023 -- Hacking Healthcare

 

Text Version:

Welcome back to Hacking Healthcare.

What Does Belgium’s New Vulnerability Disclosure Framework Mean?

Last month, The Center for Cyber Security Belgium (CCB) announced a new legal framework for IT vulnerability reporting. The new framework sets out rules meant to provide security researchers and ethical hackers some legal safe harbor to “investigate and report existing vulnerabilities in networks and information systems located in Belgium”.[1] Vulnerability disclosure can be a complicated topic for organizations, and while we have covered this issue in the past, Belgium’s recently implemented vulnerability disclosure policy provides a good reason to revisit it.

 

Terminology 

Before exploring Belgium’s new policy and its broader implications, let’s brush up on some key terms associated with vulnerability disclosure that are sometimes conflated.

• – Vulnerability Disclosure Policy (VDP): VDP is a policy that describes how an organization would like outside entities to report cybersecurity vulnerabilities to them in order to be considered “good faith” efforts that won’t result in legal action. VDPs often outline the scope of allowed activities, the manner in which vulnerabilities should be disclosed, the format and content of those disclosures, and what vulnerability reporters should expect in terms of follow-on engagement and vulnerability remediation.
• – Coordinated Vulnerability Disclosure (CVD): As CERT/CC succinctly describes, a CVD “is the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders and the public.”[2]
• – Bug Bounty: a monetary reward given to ethical hackers or security researchers for discovering and reporting a vulnerability to an organization. Bug bounties exist as a subset of VDPs, as rewards can be implemented into VDPs but are not a necessary component. Bug bounty programs also exist as a complement to, or replacement for, a VDP.

 

Belgium’s New Policy

Belgium’s CCB acknowledges that there are individuals that actively look for vulnerabilities with the laudable intent of reporting them so that cybersecurity can be improved.[3] However, they also note that this can happen without prior warning to, or permission from, the entity being examined. Without clear guidance or a trusted coordinator, navigating these kinds of interactions to a mutually beneficial end is typically fraught with legal grey areas.

In an effort to clarify how vulnerability reporting should work in Belgium, the CCB presented a new legal framework on February 15^th. At a high level, this new framework sets out the expectations and requirements for security researchers and ethical hackers if they want safe harbor from various Belgian legal offenses that could conceivably be brought against their actions.

Here are some of the highlights:[4]

• – If an organization has a VDP, and an individual finds a vulnerability within the scope of the VDP, the individual should report that vulnerability only to the organization
• – If the organization fails to respond in a reasonable timeframe or other “difficulties arise,” either party can contact the CCB to act as a lead coordinator
• – If the vulnerability affects other organizations that do not have a VDP, the vulnerability can be reported to the CCB
• – The CCB outlines obligations that include limiting actions to only what is “necessary and proportionate to verify the existence of a vulnerability”
• – Individuals “may not attempt to monetize the information discovered” unless “a reward or remuneration has been explicitly and previously agreed upon”
• – The CCB encourages security researchers to make themselves known to an organization before carrying out activities
• – Individuals cannot “publicly disclose information about the discovered vulnerability without the agreement of the CCB”

 

Action & Analysis
**Included With Health-ISAC Membership**

 

Congress

Tuesday, March 7th:

– No relevant hearings

Wednesday, March 8th:

– Senate – Committee on Security and Governmental Affairs: Hearings to examine artificial intelligence, focusing on risks and opportunities.

– House of Representatives – Committee on Oversight and Accountability: Hearing “Advances in AI: Are We Ready For a Tech Revolution?”

Thursday, March 9th:

– No relevant hearings