Update: WHISTL Labs will be Cyber Range for Medical Devices

In-brief:  A global federation of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms. (Updated with comments from Dr. Nordenberg. PFR 7/25/2017)

Amid increasing concerns about cyber threats to healthcare environments, a global network of labs will test the security of medical devices, according to an announcement on Monday by a consortium of healthcare industry firms, universities and technology firms.

The facilities, dubbed WHISTL, will adopt a model akin to the Underwriters Laboratory, which tests electrical devices, but will focus on issues related to cyber security and privacy, helping medical device makers “address the public health challenges” created by connected health devices and complex, connected healthcare environments, according to a statement by The Medical Device Innovation, Safety and Security Consortium (MDISS).

The “World Health Information Security Testing Labs (or “WHISTL”) will be owned and operated by MDISS member organizations but operate as a federated network of labs that operate under a shared set of standard operating procedures. MDISS members include healthcare delivery organizations, medical device manufacturers, universities and technology companies.

“MDISS WHISTL facilities will dramatically improve access to medical device security know-how while protecting patient privacy and the intellectual property of our various stakeholders,” said Dr. Nordenberg, MD, Executive Director of MDISS.

The labs will be one of the only independent, open and non-profit network of labs specifically designed for the needs of medical field, including medical device designers, hospital IT, and clinical engineering professionals. Experts will assess the security of medical devices using standards and specifications designed by testing organizations like Underwriters Labs. Evaluations will include application security testing like “fuzzing,” static code analysis and penetration testing of devices.

WHISTL labs will identify and mitigate medical device vulnerabilities as well as educate professionals and device makers about device security and security best practices. Any vulnerabilities found will be reported directly to manufacturers in accordance with best practices, and publicly disclosed to the international medical device vulnerability database (MDVIPER) which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC).

Just as medical professionals base their decisions on “evidence based medicine,” the WHISTL labs will attempt to establish an evidence-based approach to addressing medical cyber security, Nordenberg told The Security Ledger. Among other things: the labs will work to establish standard operating procedures and tools for evaluating the security of medical devices and other technology.

This isn’t the first effort by MDISS. The group obtained a $1.8 million contract from the Department of Homeland Security’s Science and Technology Directorate to build the Medical Device cyber Risk Assessment Platform (MDRAP) for health systems and manufacturers. MDRAP facilitates the sharing of risk assessments and threats related to medical devices.

The group says it plans for 10 new device testing labs by the end of the year including in U.S. in states like New York to Indiana, Tennessee and California and outside North America in the UK, Israel, Finland, and Singapore. Eskanazi Health of Indiana will be one of those facilities, Nordenberg said. Other facilities will be announced in the coming weeks.

The WHISTL facilities will work with Underwriters Labs as well as AAMI, the Association for the Advancement of Medical Instrumentation. Specifically, MDISS labs will base its work on the UL Cybersecurity Assurance Program specifications (UL CAP) and follow testing standards developed by both groups including the UL 2900 and AAMI 80001 standards.

“MDISS WHISTL testbeds will work closely with our partners at UL to advance best practices for security assessments based on emerging standards like UL 2900 and AAMI 80001,” said Nordenberg.

To start with, WHISTL researchers will assess the security of physiologic monitors such as respiratory and heart monitors that are commonly found in hospital rooms and intensive care units, Nordenberg said.

“We have had collaborators doing risk assessments on physiologic monitors. Now we’d like to extend that to active research,” he said.

In a statement, Benjamin G. Esslinger, a Clinical Engineer at Eskenazi Health said that the new labs will “provide a more intrusive testing model to determine true medical device vulnerabilities and provide the best practices for medical device cybersecurity.”

The susceptibility of medical devices and clinical environments to hacks and other types of disruptions has become an urgent issue in recent years. Security researchers have repeatedly demonstrated that life-sustaining medical devices can be manipulated via wireless and software based attacks. Many devices and the systems that support them lack even basic protections such as passwords to keep out intruders.

For example, recent research on a variety of implantable cardiac devices found a wide range of security weaknesses, among them the use of permanent (or “hardcoded”) authentication credentials like user names and passwords and the use of insecure communications. The devices were highly susceptible to “reverse engineering” by a knowledgeable adversary, exposing design flaws that might then be exploited in remote or local attacks, researchers Billy Rios of Whitescope and Dr. Jonathan Butts wrote in their report.

The decision of a firm, MedSec, to coordinate the release of vulnerability information for a medical device sold by Abbott with a Wall Street short-selling investment firm further inflamed tensions between private sector researchers and medical device makers and underscored the need for rigorous testing of devices.

Abbott fixed the issues in January. And, in April, the U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company’s devices as “adulterated,” in violation of the US Federal Food, Drug and Cosmetic Act.

The rise of ransomware has added to the challenges facing clinical environments. Outbreaks have hobbled clinical environments in the U.S., the U.K. and abroad, including the recent WannaCry ransomware outbreak, which affected scores of National Health Service facilities in the United Kingdom.

“Ambitious initiatives like WHISTL are sorely needed, and I look forward to supporting MDISS in this undertaking. Through our over-dependence on undependable things, we have created the conditions where accidents and adversaries can have a profound impact on public safety and human life.

In a statement Mr. Rios of the firm Whitescope called the WHISTL labs “a huge step in the right direction.” “Patient encounters with connected yet poorly secured medical devices are increasing exponentially, and nobody really has a handle on the risks we’re facing,” he said.