Engaging Hospitals In Global Hunt for Medical Device Security FlawsExperts Describe New Worldwide Network of Medical Device Cyber Testing Labs
The Medical Device Innovation, Safety and Security consortium is hoping its new worldwide network of labs for the standardized cyber testing of medical devices will help to greatly reduce risks to data and patient safety, says Dale Nordenberg, M.D., executive director of MDISS and Benjamin Esslinger of Eskenazi Health.
"In the recent 12 to 18 months, it's become increasingly clear that healthcare systems have a need ... to be executing active testing of medical devices - penetration testing and other interrogations," Nordenberg says in an interview with Information Security Media Group.
"We thought at this time it was very important for us to work with the healthcare systems to develop standardized operating procedures and best practices for how they could interrogate these devices ... but also how they would manage the coordinated disclosure of any vulnerabilities they might discover."
The new MDISS World Health Information Security Testing Laboratory network expects by the end of 2017 to launch about a dozen labs across the U.S. and in other countries, including in New York, Indiana, Tennessee, California as well as in the United Kingdom, Israel, Finland and Singapore.
Each WHISTL lab is owned and operated by the individual entity, "but they will leverage the standard operating procedures that are consensus-based and coming from MDISS," as well as from the consortium's partnership with the National Health Information Sharing and Analysis Center, Nordenberg says.
Improving Patient Care
Eskenazi Health, a 315-bed facility in Indiana that has more than 20,000 medical devices in use, is among the first healthcare delivery organizations playing an early role in the launch of these labs, explains Esslinger, Eskenazi manager and clinical engineer.
"We're working on best practices to test the medical devices for the vulnerabilities that may not be out in the open for us as technology managers from the manufactures' disclosed documents when we procure devices," he says in the same interview with ISMG.
"How it will help is that we can actively intrusively test the devices, and identify what vulnerabilities and risks are presented to our organization in the current life-cycle management of those devices," Esslinger says.
"The coordinated disclosure [of vulnerabilities found by] the labs will help us to work as a community ... and with the manufacturers ... to allow us to try to remediate and harden those devices that are currently on our networks and directly impacting our patients," Esslinger adds. "By doing this, it will allow us to improve our patient care as a whole."
In the interview, Nordenberg and Esslinger also discuss:
- How the WHITL medical device testing facilities will be operated,;
- Potential collaboration of WHISTL facilities with medical device manufacturers and independent "ethical hacker" researchers;
- How the labs' discoveries of security vulnerabilities will be communicated to the larger healthcare ecosystem.
Besides his role leading the MDISS, Nordenberg, a pediatrician, is CEO of the consulting firm Novasano Health and Science. Nordenberg, the former CIO of the Centers for Disease Control and Prevention, also co-chairs the Medical Device Security Information Sharing Council for the National Health Information Sharing and Analysis Center.
Esslinger, in addition to his role as certified biomedical engineering technology manager and clinical engineer at Eskenazi Health, is also a trustee and past president of the Indiana Biomedical Society.