Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Medicine Privacy Security Software Hardware Science

Global Network of Labs Will Test Security of Medical Devices (securityledger.com) 50

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

This discussion has been archived. No new comments can be posted.

Global Network of Labs Will Test Security of Medical Devices

Comments Filter:
  • www.mdiss.org doesn't even implement https. And you can't tell them about it because http://www.mdiss.org/Home/Cont... [mdiss.org] has no submit button.
    • Even on their sign-up page they don't implement https.

      More evidence that "security" companies are more about social engineering their customers than about protecting them. You can be sure that this certification will be meaningless.
    • Re:HTTPS PLZ (Score:4, Informative)

      by phantomfive ( 622387 ) on Tuesday July 25, 2017 @01:18AM (#54872433) Journal
      You can see what OS they are running with nmap -A:

      80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
      | http-methods:
      |_ Potentially risky methods: TRACE
      | http-server-header:
      | Microsoft-HTTPAPI/2.0
      |_ Microsoft-IIS/8.5
      |_http-title: Home Page
      Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

      They're not going out of their way to be secure.

  • by QuietLagoon ( 813062 ) on Monday July 24, 2017 @11:32PM (#54872181)
    ... it is "designed" into devices. It appears the medical device industry still does not get security. How many people have to die before they do get security?
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I used to work for a medical device company. At first I thought it strange and dangerous that networking and data security was an afterthought, implemented and tested by junior engineers. But then I figured out something more basic: ALL software was an afterthought. The hardware feature set, and the many physics Ph.D.'s that went into getting it to work better than the competition, was the core focus. All else was a distant second priority, at best.

      So you have vulnerabilities all over the place, and the peo

    • Externalized cost of failure is the fail here too. Security isn't tested into devices (though that can help) of course. But when you can externalize the cost of fail - like say, Visa does into chargebacks and merchant fees, there's no incentive to do it right. If you're paying big malpractice insurance fees anyway, why care? It's not like companies are actually people or that even actual people these days have much in the way of morals, past look out for #1. Why do we let coal spew more Hg and more rad
    • by AmiMoJo ( 196126 )

      What are the actual risks here?

      As I understand it some implantable devices have short range radios, mostly NFC based because anything else will run down the battery too fast and changing it isn't exactly easy. It's not like people's pacemakers are connected directly to the internet or anything.

      So potentially they could be harmed by a very close range attack... But it seems like there are plenty of other, easier ways to harm people at that range. It's not even stealthy, because if someone's pacemaker randoml

      • So, you seem to be OK with the "security by obscurity" approach. btw, a person does not need to be nearby to start an attack on a pacemaker. Only some sort of transmitter needs to be nearby, or the person needs to walk past it. It appears you are trying to rationalize away a significant problem.
        • by AmiMoJo ( 196126 )

          Okay, so there is another possibly vulnerability. Hidden transmitter that the victim walks past... But it seems like a bit of a movie plot kinda threat. If you could hide a transmitter somewhere that it is close enough to work and also make sure it can't be traced back to you, there are probably easier things you could do to get at your victim.

          I'm not dismissing the danger, I'm asking what are the risks that a random person fitted with a "smart" pacemaker or whatever has to consider. So far it mostly seems

      • by tlhIngan ( 30335 )

        I'm not including the usual "don't stand next to any big microwave emitter" type vulnerabilities, those aren't new and affect non-connected devices too.

        Actually, it turns out the anti-theft detectors at store doorways is good enough to trip up a pacemaker. I think the ones they use at Best Buy are particularly susceptible to turning pacemakers and other devices like neurostimulators off. Often without notice or an alarm. The only thing the patient gets is either increased seizures or their heart is again be

        • by AmiMoJo ( 196126 )

          Sounds like the perfect application for a tinfoil hat (or jacket if you have a pacemaker).

  • by QuietLagoon ( 813062 ) on Monday July 24, 2017 @11:37PM (#54872197)
    This is the usual beauhd summary. A wall of text with little thought behind it. So sad. And this person is a /. editor. How far has /. sunk to this to be the norm?
  • ... all soon receive cease-and-deist orders.

  • Are they testing them by implantation... in high profile people that are widely disliked?

  • by Anonymous Coward

    Given the low level of trust I hold for pharma firms, how much trust could I put into "a consortium of healthcare industry firms, universities and technology firms"? Especially when uni gets deeper and deeper into industry's pockets?


  • I expect device makers to try and litigate them into submission before they can go public with vulnerabilities.
  • We need a global mandate that *all* medical equipment has 100% open-source firmware. Only then can we have any real hope of security with these critical, life-saving devices.

  • It seems like any time you read anything about medical devices, it's about security being abysmal: not even an afterthought. Hard-coded default admin passwords are commonplace. It's been my experience, working in the medical field, that most of the hardware is obsolete shit even when it's brand new. I often wonder if this has to do with the arduous process each device must go through to get FDA approval for medical use. For instance, my hospital uses the PYXIS medstation, a commonly-used locked medication

Credit ... is the only enduring testimonial to man's confidence in man. -- James Blish