The Medical Device Innovation, Safety and Security Consortium (MDISS) launched the first of more than a dozen planned specialized labs for security testing medical devices.
MDISS is a non-profit public/private partnership dedicated to advancing patient safety and public health, and the first to focus exclusively on medical device cybersecurity. It develops and delivers practical technology, operations and policy solutions for member organizations, including hospitals, health delivery organizations, doctors, epidemiologists, clinical engineers, medical device manufacturers, academics, regulators, embedded security experts and cybersecurity researchers.
The new MDISS World Health Information Security Testing Lab (WHISTL) facilities will comprise a federated network of medical device security testing labs, independently owned and operated by MDISS-member organizations including healthcare delivery organizations, medical device manufacturers, universities and technology companies.
Enabling MDISS members to test devices in both physical and virtual environments, WHISTL facilities will focus on identifying and mitigating medical device vulnerabilities, sharing solutions and best practices, and device security education and awareness. Newly uncovered vulnerabilities will be responsibly reported to medical device manufacturers and to the NHISAC-MDISS Medical Device Vulnerability Program for Evaluation and Response.
While such security “proving grounds” aren’t new to enterprise IT, WHISTL is the first network of labs specifically designed around the needs of medical device researchers, healthcare IT professionals and hospital clinical engineering leaders. By the end of 2017, MDISS WHISTL facilities will open in New York, Indiana, Tennessee, California as well as in the UK, Israel, Finland and Singapore.
Each WHISTL facility will launch and operate under a shared set of standard operating procedures. The goal is to help organizations work together to more effectively address the public health challenges arising from cybersecurity issues emergent in complex, multivendor networks of medical devices.
Together with the National Health Information Sharing and Analysis Center (NH-ISAC), MDISS has already built a dynamic national cyber information-sharing community to advance patient safety and privacy. MDISS, under a $1.8M contract from the DHS, built the medical device cyber risk assessment platform (MDRAP).
The platform helps health systems, device manufacturers, and technology firms collaborate to produce and share device risk assessments. The fast-growing and standards-based MDRAP platform features moderated crowdsourcing and facilitates timely, responsible sharing of risk assessments and threat indicators, while helping automate critical device inventory, audit, oversight and vulnerability tracking tasks for hospitals.
WHISTL’s device testing protocols will have their foundation in the UL Cybersecurity Assurance Program specifications (UL CAP), especially with regards to fuzz testing, static binary analysis and structured penetration testing.