MDISS, the Medical Device Innovation, Safety and Security Consortium has announced the launch of more than a dozen planned device security testing labs and cyber-ranges. The new MDISS World Health Information Security Testing Lab (WHISTL) facilities will comprise a federated network of medical device security testing labs, independently owned and operated by MDISS-member organisations including healthcare delivery organisations, medical device manufacturers, universities and technology companies. Each WHISTL facility will launch and operate under a shared set of standard operating procedures. The goal is to help organisations work together to more effectively address the public health challenges arising from cyber security issues emergent in complex, multi-vendor networks of medical devices.
MDISS WHISTL will focus on vetting complex multi-vendor, multi-device critical care environments like hospital intensive care units, operating theatres and emergency rooms.
While such security ‘proving grounds’ aren’t new to enterprise IT,
WHISTL is the first network of labs specifically designed around the needs of medical device researchers, healthcare IT professionals and hospital clinical engineering leaders. By the end of 2017, MDISS WHISTL facilities will open in several cities in the USA as well as in the UK, Israel, Finland and Singapore.
WHISTL facilities will focus on identifying and mitigating medical device vulnerabilities, sharing solutions and best practices, and device security education and awareness. Newly uncovered vulnerabilities will be responsibly reported to device manufacturers and to the NHISAC-MDISS Medical Device Vulnerability Program for Evaluation and Response, or ‘MDVIPER’.
MDISS built the medical device cyber risk assessment platform, or ‘MDRAP’. The platform helps health systems, device manufacturers, and technology firms collaborate to produce and share device risk assessments. The fast-growing and standards-based MDRAP platform features moderated crowdsourcing and facilitates timely, responsible sharing of risk assessments and threat indicators, while helping automate critical device inventory, audit, oversight and vulnerability tracking tasks for hospitals.
WHISTL’s device testing protocols will have their foundation in the UL Cybersecurity Assurance Program specifications, especially with regards to fuzz testing, static binary analysis and structured penetration testing.
