Global Network of Labs Will Test Security of Medical Devices

chicksdaddy shares a report from The Security Ledger: Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms, The Security Ledger reports. The "World Health Information Security Testing Labs (or "WHISTL") will adopt a model akin to the Underwriters Laboratory, which started out testing electrical devices, and focus on issues related to cyber security and privacy, helping medical device makers "address the public health challenges" created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium. "MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders," said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like "fuzzing," static code analysis and penetration testing of devices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC). The group says it plans for 10 new device testing labs by the end of the year including in the U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

Re:

[Highdude702]

Just because your mother is cold hearted to you doesn't mean she she can't have a warm pocket of love for someone else.

HTTPS PLZ

[rsaxvc]

www.mdiss.org doesn't even implement https. And you can't tell them about it because http://www.mdiss.org/Home/Cont... [mdiss.org] has no submit button.

Re:

[phantomfive]

Even on their sign-up page they don't implement https.

More evidence that "security" companies are more about social engineering their customers than about protecting them. You can be sure that this certification will be meaningless.

Re:HTTPS PLZ

[phantomfive]

You can see what OS they are running with nmap -A:

80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/8.5
|_http-title: Home Page
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

They're not going out of their way to be secure.

Security is not "tested" into devices...

[QuietLagoon]

... it is "designed" into devices. It appears the medical device industry still does not get security. How many people have to die before they do get security?

Re:

[ctilsie242]

The ironic thing is that secure system design isn't anything new. There have been books on this since the 1970s. It is a solved problem. The issue is that actually bothering to implement defense in depth is something companies don't want devs to spend time on. Again, the "security has no ROI" mantra.

Were things designed from the ground right using proven security techniques, this wouldn't be an issue.

Re:

[Plus1Entropy]

Junior devs shouldn't be responsible for designing the security features of a critical medical device.

Re:

[Anonymous Coward]

I used to work for a medical device company. At first I thought it strange and dangerous that networking and data security was an afterthought, implemented and tested by junior engineers. But then I figured out something more basic: ALL software was an afterthought. The hardware feature set, and the many physics Ph.D.'s that went into getting it to work better than the competition, was the core focus. All else was a distant second priority, at best.

So you have vulnerabilities all over the place, and the peo

Re:

[DCFusor]

!this! ^^^

Re:

[DCFusor]

Externalized cost of failure is the fail here too. Security isn't tested into devices (though that can help) of course. But when you can externalize the cost of fail - like say, Visa does into chargebacks and merchant fees, there's no incentive to do it right. If you're paying big malpractice insurance fees anyway, why care? It's not like companies are actually people or that even actual people these days have much in the way of morals, past look out for #1. Why do we let coal spew more Hg and more rad

Re:

[AmiMoJo]

What are the actual risks here?

As I understand it some implantable devices have short range radios, mostly NFC based because anything else will run down the battery too fast and changing it isn't exactly easy. It's not like people's pacemakers are connected directly to the internet or anything.

So potentially they could be harmed by a very close range attack... But it seems like there are plenty of other, easier ways to harm people at that range. It's not even stealthy, because if someone's pacemaker randoml

Re:

[QuietLagoon]

So, you seem to be OK with the "security by obscurity" approach. btw, a person does not need to be nearby to start an attack on a pacemaker. Only some sort of transmitter needs to be nearby, or the person needs to walk past it. It appears you are trying to rationalize away a significant problem.

Re:

[AmiMoJo]

Okay, so there is another possibly vulnerability. Hidden transmitter that the victim walks past... But it seems like a bit of a movie plot kinda threat. If you could hide a transmitter somewhere that it is close enough to work and also make sure it can't be traced back to you, there are probably easier things you could do to get at your victim.

I'm not dismissing the danger, I'm asking what are the risks that a random person fitted with a "smart" pacemaker or whatever has to consider. So far it mostly seems

Re:

[tlhIngan]

I'm not including the usual "don't stand next to any big microwave emitter" type vulnerabilities, those aren't new and affect non-connected devices too.

Actually, it turns out the anti-theft detectors at store doorways is good enough to trip up a pacemaker. I think the ones they use at Best Buy are particularly susceptible to turning pacemakers and other devices like neurostimulators off. Often without notice or an alarm. The only thing the patient gets is either increased seizures or their heart is again be

Re:

[AmiMoJo]

Sounds like the perfect application for a tinfoil hat (or jacket if you have a pacemaker).

btw, summary - lots of text, little thought

[QuietLagoon]

This is the usual beauhd summary. A wall of text with little thought behind it. So sad. And this person is a /. editor. How far has /. sunk to this to be the norm?

Re:

[Highdude702]

Quite far. He even will respond to comments of people criticizing him with "Shut Up"

Re:

[Plus1Entropy]

Really, where? [slashdot.org]

His account is only a year and a half old, so he only has a few pages of comments. Ctrl+F shows that he hasn't even used the word "shut" by itself, let alone told anyone to "shut up".

Fucking FACTS, amirite?

Re: btw, summary - lots of text, little thought

[KGIII]

There are several fake accounts that are based on their name. They aren't really they.

Re:

[Highdude702]

When I get home I'll find it, when he comments BOTH account numbers show up, which I believe is an editor account linked to a user account? Not sure but I know both account numbers show up after the name.

Re:

[KGIII]

LOL That's not really them. They are spoof accounts.

Global network of labs will...

[Narcocide]

... all soon receive cease-and-deist orders.

Are they testing them by implantation...

[tlambert]

Are they testing them by implantation... in high profile people that are widely disliked?

Trust

[Anonymous Coward]

Given the low level of trust I hold for pharma firms, how much trust could I put into "a consortium of healthcare industry firms, universities and technology firms"? Especially when uni gets deeper and deeper into industry's pockets?

Exactly.

Hope they have a good legal department

[schwit1]

I expect device makers to try and litigate them into submission before they can go public with vulnerabilities.

Not good enough

[hackel]

We need a global mandate that *all* medical equipment has 100% open-source firmware. Only then can we have any real hope of security with these critical, life-saving devices.

From the medical field...

[s.t.a.l.k.e.r._loner]

It seems like any time you read anything about medical devices, it's about security being abysmal: not even an afterthought. Hard-coded default admin passwords are commonplace. It's been my experience, working in the medical field, that most of the hardware is obsolete shit even when it's brand new. I often wonder if this has to do with the arduous process each device must go through to get FDA approval for medical use. For instance, my hospital uses the PYXIS medstation, a commonly-used locked medication