Global Network of Labs Will Test Security of Medical Devices (securityledger.com)

← Back to Stories (view on slashdot.org)

Global Network of Labs Will Test Security of Medical Devices (securityledger.com)

Posted by BeauHD on Monday July 24, 2017 @03:30PM from the cyber-range dept.

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

50 comments

Min score:

Reason:

Sort:

HTTPS PLZ by Anonymous Coward · 2017-07-24 15:58 · Score: 0

www.mdiss.org doesn't even implement https. And you can't tell them about it because http://www.mdiss.org/Home/Contact has no submit button.
-rsaxvc
1. Re: HTTPS PLZ by Anonymous Coward · 2017-07-24 16:18 · Score: 0
  
  bro u posted this twice
2. Re:HTTPS PLZ by phantomfive · 2017-07-24 17:49 · Score: 2
  
  Even on their sign-up page they don't implement https.
  
  More evidence that "security" companies are more about social engineering their customers than about protecting them. You can be sure that this certification will be meaningless.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:HTTPS PLZ by phantomfive · 2017-07-24 18:18 · Score: 3, Informative
  
  You can see what OS they are running with nmap -A:
  
  80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  | http-methods:
  |_ Potentially risky methods: TRACE
  | http-server-header:
  | Microsoft-HTTPAPI/2.0
  |_ Microsoft-IIS/8.5
  |_http-title: Home Page
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
  They're not going out of their way to be secure.
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:HTTPS PLZ by Anonymous Coward · 2017-07-25 00:24 · Score: 0
  
  Won't matter. Congress will mandate requirements, like using above unsecured website.
well I pen tested your mom by Anonymous Coward · 2017-07-24 16:00 · Score: 0

and we both won
1. Re: well I pen tested your mom by Anonymous Coward · 2017-07-24 16:33 · Score: 0
  
  So you're a necrophiliac.
2. Re: well I pen tested your mom by Highdude702 · 2017-07-24 19:02 · Score: 1
  
  Just because your mother is cold hearted to you doesn't mean she she can't have a warm pocket of love for someone else.
HTTPS PLZ by rsaxvc · 2017-07-24 16:07 · Score: 2

www.mdiss.org doesn't even implement https. And you can't tell them about it because http://www.mdiss.org/Home/Cont... has no submit button.
Security is not "tested" into devices... by QuietLagoon · 2017-07-24 16:32 · Score: 4, Insightful

... it is "designed" into devices. It appears the medical device industry still does not get security. How many people have to die before they do get security?
1. Re:Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:17 · Score: 0
  
  This. Playing whack-a-mole after the fact is how Microsoft does it.
  My insulin pump locks-up several times a week so I'm sure there's several bad buffer overflow attacks. It could easily kill me with a single overdose.
2. Re: Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:24 · Score: 0
  
  We only fix security problems that others discover rather than designing in security.
3. Re:Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:27 · Score: 0
  
  It's easier for junior devs to fix problems that other people find rather than to try to design secure systems in the first place.
4. Re: Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:29 · Score: 0
  
  Microsoft laid off their best people to save money. The junior guys left just don't grok security.
5. Re: Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:31 · Score: 0
  
  Keep a damn eye on your pump. My daughters almost killed her several times. It runs Windows RT.
6. Re:Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:39 · Score: 0
  
  It's easier for junior devs to fix problems that other people find rather than to try to design secure systems in the first place.
  That has been Microsoft's plan since they fired all of their experienced (read, expensive) engineers.
7. Re: Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:40 · Score: 0
  
  That is cheaper so I can't blame us. It just sucks that some idiot in management is pushing our garbage on devices that could kill someone.
8. Re: Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:42 · Score: 0
  
  Medical devices need to be designed to be secure, quite unlike Microsoft products.
9. Re: Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 17:54 · Score: 0
  
  My daughter is Coeliac, and I don't know if her insulin pump runs Windows, but it often locks-up. I have to keep telling her to look at the display, and if it doesn't update her blood glucose level, she needs to assume it locked-up. Fortunately, it hasn't killed her yet.
10. Re:Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 18:00 · Score: 2, Interesting
  
  I used to work for a medical device company. At first I thought it strange and dangerous that networking and data security was an afterthought, implemented and tested by junior engineers. But then I figured out something more basic: ALL software was an afterthought. The hardware feature set, and the many physics Ph.D.'s that went into getting it to work better than the competition, was the core focus. All else was a distant second priority, at best.
  So you have vulnerabilities all over the place, and the people who matter aren't even aware that such vulnerabilities exist. There will be some catastrophic harm, then they will be aware. But it will be a decade before security becomes part of the design process.
11. Re: Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 18:05 · Score: 0
  
  Keep a damn eye on your pump. My daughters almost killed her several times. It runs Windows RT.
  I don't know if my daughter's pump runs Windows, but it requires a crappy Windows program to configure it and to save its settings. It only sometimes works under Vista and usually works under XP. I have to keep an old Windows desktop running for her to use.
12. Re:Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 18:52 · Score: 0
  
  Most people would just say look at Microsoft's market-cap to disprove that.
  Of course, experts have known for decades that Microsoft's attempt to make things secure by rather than designing them to be secure, but instead of playing whack-a-mole simply doesn't work. Security is a process, not a product.
13. Re:Security is not "tested" into devices... by Anonymous Coward · 2017-07-24 19:26 · Score: 0
  
  the many physics Ph.D.'s that went into getting it to work better than the competition, was the core focus
  I think I found the problem. HR misread 'Physician' as 'Physicist'.
14. Re:Security is not "tested" into devices... by DCFusor · 2017-07-24 19:37 · Score: 2
  
  Externalized cost of failure is the fail here too. Security isn't tested into devices (though that can help) of course. But when you can externalize the cost of fail - like say, Visa does into chargebacks and merchant fees, there's no incentive to do it right. If you're paying big malpractice insurance fees anyway, why care? It's not like companies are actually people or that even actual people these days have much in the way of morals, past look out for #1. Why do we let coal spew more Hg and more radioactive stuff in the air than even the worst alternatives? They (and the customer, you) don't pay and don't see the cost as obvious. Citation: Bruce Schneier. The med biz is more arrogant and clueless than most, to be sure. Doctors are gods, haven't you heard? After all, this stuff is all peer-reviewed by the house pets of almost-scientists.
  
  --
  Why guess when you can know? Measure!
15. Re:Security is not "tested" into devices... by DCFusor · 2017-07-24 19:39 · Score: 1
  
  !this! ^^^
  
  --
  Why guess when you can know? Measure!
16. Re:Security is not "tested" into devices... by AmiMoJo · 2017-07-25 00:09 · Score: 2
  
  What are the actual risks here?
  As I understand it some implantable devices have short range radios, mostly NFC based because anything else will run down the battery too fast and changing it isn't exactly easy. It's not like people's pacemakers are connected directly to the internet or anything.
  So potentially they could be harmed by a very close range attack... But it seems like there are plenty of other, easier ways to harm people at that range. It's not even stealthy, because if someone's pacemaker randomly gets exploited anyone stood near them is going to be a suspect. I suppose maybe the attack could involve some sort of time delay.
  The other vulnerable part of the system is the bit doctors use to read data from the device and reprogram it. It could be infected and reprogrammed to do some damage. I guess it could even target an individual if the serial number of their device was known.
  I'm not including the usual "don't stand next to any big microwave emitter" type vulnerabilities, those aren't new and affect non-connected devices too.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
17. Re:Security is not "tested" into devices... by Anonymous Coward · 2017-07-25 01:40 · Score: 0
  
  Your understanding is pretty much spot-on.
  If someone is close enough to hack your implantable device they are close enough to strangle you or stab you with a knife, both of which are far cheaper and presumably far more effective than hacking the device.
18. Re:Security is not "tested" into devices... by ctilsie242 · 2017-07-25 01:59 · Score: 1
  
  The ironic thing is that secure system design isn't anything new. There have been books on this since the 1970s. It is a solved problem. The issue is that actually bothering to implement defense in depth is something companies don't want devs to spend time on. Again, the "security has no ROI" mantra.
  Were things designed from the ground right using proven security techniques, this wouldn't be an issue.
19. Re:Security is not "tested" into devices... by Plus1Entropy · 2017-07-25 02:05 · Score: 1
  
  Junior devs shouldn't be responsible for designing the security features of a critical medical device.
  
  --
  Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
20. Re:Security is not "tested" into devices... by QuietLagoon · 2017-07-25 03:32 · Score: 1
  
  So, you seem to be OK with the "security by obscurity" approach. btw, a person does not need to be nearby to start an attack on a pacemaker. Only some sort of transmitter needs to be nearby, or the person needs to walk past it. It appears you are trying to rationalize away a significant problem.
21. Re:Security is not "tested" into devices... by AmiMoJo · 2017-07-25 03:42 · Score: 1
  
  Okay, so there is another possibly vulnerability. Hidden transmitter that the victim walks past... But it seems like a bit of a movie plot kinda threat. If you could hide a transmitter somewhere that it is close enough to work and also make sure it can't be traced back to you, there are probably easier things you could do to get at your victim.
  I'm not dismissing the danger, I'm asking what are the risks that a random person fitted with a "smart" pacemaker or whatever has to consider. So far it mostly seems like elaborate and unreliable assassination methods. Maybe someone could steal some of your medical data somehow, but how (attack the doctor's PC?) and what is the risk of them having it?
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
22. Re:Security is not "tested" into devices... by tlhIngan · 2017-07-25 04:12 · Score: 2
  
  I'm not including the usual "don't stand next to any big microwave emitter" type vulnerabilities, those aren't new and affect non-connected devices too.
  Actually, it turns out the anti-theft detectors at store doorways is good enough to trip up a pacemaker. I think the ones they use at Best Buy are particularly susceptible to turning pacemakers and other devices like neurostimulators off. Often without notice or an alarm. The only thing the patient gets is either increased seizures or their heart is again beating oddly.
  Apparently doctors give notice about these devices and the frequencies that cause issues, but people do forget.
23. Re:Security is not "tested" into devices... by Anonymous Coward · 2017-07-25 04:19 · Score: 0
  
  In Medical IoT Future, WHISTL blows YOU!
24. Re:Security is not "tested" into devices... by AmiMoJo · 2017-07-25 05:28 · Score: 1
  
  Sounds like the perfect application for a tinfoil hat (or jacket if you have a pacemaker).
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
btw, summary - lots of text, little thought by QuietLagoon · 2017-07-24 16:37 · Score: 2

This is the usual beauhd summary. A wall of text with little thought behind it. So sad. And this person is a /. editor. How far has /. sunk to this to be the norm?
1. Re:btw, summary - lots of text, little thought by Highdude702 · 2017-07-24 20:37 · Score: 1
  
  Quite far. He even will respond to comments of people criticizing him with "Shut Up"
2. Re:btw, summary - lots of text, little thought by Plus1Entropy · 2017-07-25 02:16 · Score: 1
  
  Really, where?
  His account is only a year and a half old, so he only has a few pages of comments. Ctrl+F shows that he hasn't even used the word "shut" by itself, let alone told anyone to "shut up".
  Fucking FACTS, amirite?
  
  --
  Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
3. Re: btw, summary - lots of text, little thought by KGIII · 2017-07-25 06:28 · Score: 1
  
  There are several fake accounts that are based on their name. They aren't really they.
  
  --
  "So long and thanks for all the fish."
4. Re: btw, summary - lots of text, little thought by Highdude702 · 2017-07-26 01:24 · Score: 1
  
  When I get home I'll find it, when he comments BOTH account numbers show up, which I believe is an editor account linked to a user account? Not sure but I know both account numbers show up after the name.
5. Re: btw, summary - lots of text, little thought by KGIII · 2017-07-26 12:56 · Score: 1
  
  LOL That's not really them. They are spoof accounts.
  
  --
  "So long and thanks for all the fish."
Great by Anonymous Coward · 2017-07-24 16:46 · Score: 0

Now I can go back as a high priced consultant to fix all of those devices I helped design as a struggling young engineer. Get your checkbook ready, I don't work cheap anymore.
Re:Damn those dogs by Anonymous Coward · 2017-07-24 19:01 · Score: 0

They are applying for H-1B visas too.
Global network of labs will... by Narcocide · 2017-07-24 19:30 · Score: 1

... all soon receive cease-and-deist orders.
Are they testing them by implantation... by tlambert · 2017-07-24 21:14 · Score: 1

Are they testing them by implantation... in high profile people that are widely disliked?
Trust by Anonymous Coward · 2017-07-25 00:44 · Score: 1

Given the low level of trust I hold for pharma firms, how much trust could I put into "a consortium of healthcare industry firms, universities and technology firms"? Especially when uni gets deeper and deeper into industry's pockets?
Exactly.
Hope they have a good legal department by schwit1 · 2017-07-25 03:04 · Score: 1

I expect device makers to try and litigate them into submission before they can go public with vulnerabilities.
Not good enough by hackel · 2017-07-25 05:35 · Score: 1

We need a global mandate that *all* medical equipment has 100% open-source firmware. Only then can we have any real hope of security with these critical, life-saving devices.
From the medical field... by s.t.a.l.k.e.r._loner · 2017-07-25 08:57 · Score: 1

It seems like any time you read anything about medical devices, it's about security being abysmal: not even an afterthought. Hard-coded default admin passwords are commonplace. It's been my experience, working in the medical field, that most of the hardware is obsolete shit even when it's brand new. I often wonder if this has to do with the arduous process each device must go through to get FDA approval for medical use. For instance, my hospital uses the PYXIS medstation, a commonly-used locked medication cabinet with fingerprint access. The company rep just came through a couple days ago with latest-gen tops that contain a new touchscreen, keyboard, barcode reader, etc. The touchscreen is poor resolution and less touch-sensitive than the one it replaced. The only "improvement" to the keyboard is they removed tactile ability completely by making it flat for easy cleaning. The components inside (hard drive, etc) are connected with fucking IDE ribbon cables.