Slashdot Mirror

← Back to Stories (view on slashdot.org)

Global Network of Labs Will Test Security of Medical Devices (securityledger.com)

Posted by BeauHD on from the cyber-range dept.

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

9 of 50 comments (clear)

  1. HTTPS PLZ by rsaxvc · · Score: 2

    www.mdiss.org doesn't even implement https. And you can't tell them about it because http://www.mdiss.org/Home/Cont... has no submit button.

  2. Security is not "tested" into devices... by QuietLagoon · · Score: 4, Insightful

    ... it is "designed" into devices. It appears the medical device industry still does not get security. How many people have to die before they do get security?

    1. Re:Security is not "tested" into devices... by Anonymous Coward · · Score: 2, Interesting

      I used to work for a medical device company. At first I thought it strange and dangerous that networking and data security was an afterthought, implemented and tested by junior engineers. But then I figured out something more basic: ALL software was an afterthought. The hardware feature set, and the many physics Ph.D.'s that went into getting it to work better than the competition, was the core focus. All else was a distant second priority, at best.

      So you have vulnerabilities all over the place, and the people who matter aren't even aware that such vulnerabilities exist. There will be some catastrophic harm, then they will be aware. But it will be a decade before security becomes part of the design process.

    2. Re:Security is not "tested" into devices... by DCFusor · · Score: 2

      Externalized cost of failure is the fail here too. Security isn't tested into devices (though that can help) of course. But when you can externalize the cost of fail - like say, Visa does into chargebacks and merchant fees, there's no incentive to do it right. If you're paying big malpractice insurance fees anyway, why care? It's not like companies are actually people or that even actual people these days have much in the way of morals, past look out for #1. Why do we let coal spew more Hg and more radioactive stuff in the air than even the worst alternatives? They (and the customer, you) don't pay and don't see the cost as obvious. Citation: Bruce Schneier. The med biz is more arrogant and clueless than most, to be sure. Doctors are gods, haven't you heard? After all, this stuff is all peer-reviewed by the house pets of almost-scientists.

      --
      Why guess when you can know? Measure!
    3. Re:Security is not "tested" into devices... by AmiMoJo · · Score: 2

      What are the actual risks here?

      As I understand it some implantable devices have short range radios, mostly NFC based because anything else will run down the battery too fast and changing it isn't exactly easy. It's not like people's pacemakers are connected directly to the internet or anything.

      So potentially they could be harmed by a very close range attack... But it seems like there are plenty of other, easier ways to harm people at that range. It's not even stealthy, because if someone's pacemaker randomly gets exploited anyone stood near them is going to be a suspect. I suppose maybe the attack could involve some sort of time delay.

      The other vulnerable part of the system is the bit doctors use to read data from the device and reprogram it. It could be infected and reprogrammed to do some damage. I guess it could even target an individual if the serial number of their device was known.

      I'm not including the usual "don't stand next to any big microwave emitter" type vulnerabilities, those aren't new and affect non-connected devices too.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Security is not "tested" into devices... by tlhIngan · · Score: 2

      I'm not including the usual "don't stand next to any big microwave emitter" type vulnerabilities, those aren't new and affect non-connected devices too.

      Actually, it turns out the anti-theft detectors at store doorways is good enough to trip up a pacemaker. I think the ones they use at Best Buy are particularly susceptible to turning pacemakers and other devices like neurostimulators off. Often without notice or an alarm. The only thing the patient gets is either increased seizures or their heart is again beating oddly.

      Apparently doctors give notice about these devices and the frequencies that cause issues, but people do forget.

  3. btw, summary - lots of text, little thought by QuietLagoon · · Score: 2

    This is the usual beauhd summary. A wall of text with little thought behind it. So sad. And this person is a /. editor. How far has /. sunk to this to be the norm?

  4. Re:HTTPS PLZ by phantomfive · · Score: 2

    Even on their sign-up page they don't implement https.

    More evidence that "security" companies are more about social engineering their customers than about protecting them. You can be sure that this certification will be meaningless.

    --
    "First they came for the slanderers and i said nothing."
  5. Re:HTTPS PLZ by phantomfive · · Score: 3, Informative
    You can see what OS they are running with nmap -A:

    80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
    | http-methods:
    |_ Potentially risky methods: TRACE
    | http-server-header:
    | Microsoft-HTTPAPI/2.0
    |_ Microsoft-IIS/8.5
    |_http-title: Home Page
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

    They're not going out of their way to be secure.

    --
    "First they came for the slanderers and i said nothing."