MDISS Launches Worldwide Device Security ‘Proving Grounds’

Posted July 26, 2017

In the face of massive and debilitating cyberattacks, the nonprofit Medical Device Innovation, Safety and Security Consortium (MDISS) has launched a worldwide network of security “proving grounds” specifically designed to test the security of medical devices, identify vulnerabilities, and develop solutions. The MDISS World Health Information Security Testing Lab (WHISTL) includes healthcare delivery organizations (HDOs), medical device manufacturers, academic institutions, and technology companies.

“MDISS WHISTL facilities will dramatically improve access to device security know-how while protecting patient privacy and stakeholder intellectual property,” said Dale Nordenberg, executive director of MDISS, in a press release. “Solid cyber-lab governance will support an international-scale network of research and training centers of excellence, designed especially for medical device designers, hospital IT, and clinical engineering professionals.”

WHISTL will utilize both the UL 2900 and ANSI/AAMI/IEC 80001 series of standards when testing the cybersecurity of medical devices, according to the press release. The 80001 series deals with the application of risk management to a hospital information technology network that uses medical devices. The report Health IT Risk Management outlines the business case for implementing this series of standards.

The WHISTL facilities allow for “tougher, more realistic test regimes” that unearth device vulnerabilities more quickly and therefore help in developing a response to them, said Benjamin G. Esslinger a clinical engineering manager at Eskenazi Health in Indianapolis, IN, who collaborates with MDISS. “Remember, medical devices are still on the frontier of cybersecurity, and security best practices for devices are still maturing.”

In addition to identifying device vulnerabilities, the MDISS WHISTL initiative encourages worldwide collaboration. By the end of this year, facilities will open at locations in California, Indiana, New York, and Tennessee, as well as in the United Kingdom, Israel, Finland, and Singapore. Security vulnerabilities will be reported to collaborators and medical device manufacturers using the Medical Device Vulnerability Program for Evaluation and Response (MDVIPER), a database maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC).

“WHISTL will provide much-needed insight from actual developers and users of medical devices, which will result in increased relevant and actionable information sharing and situational awareness for all stakeholders in healthcare,” said NH-ISAC President Denise Anderson in a statement.