Independent labs to probe medical devices for security flaws

Speaking from a security perspective, medical devices are a sickly lot.

They suffer from many miseries: lack of quality assurance and testing, rush to release pressures on product development teams, accidental coding errors, malicious coding, inherent bugs in product development tools, being tiny, having low computing power in internal devices, and, well, the list goes on.

Obviously, it’s no walk in the park to secure these things. A majority – 80% – of medical device manufacturers and users surveyed in a recent study said the gadgets are “very difficult” to secure. Only 25% of respondents said that security protocols or architecture built inside the devices adequately protect clinicians and patients.

…all of which is why security researchers who specialize in dissecting medical devices were encouraged when they learned, on Monday, that a new global federation of labs will test the security of medical devices.

According to the Security Ledger, the announcement was made by a consortium of healthcare industry companies, universities and technology firms called the Medical Device Innovation, Safety and Security Consortium (MDISS).

The labs network has been dubbed the World Health Information Security Testing Labs (WHISTL). The facilities will reportedly adopt a model akin to the Underwriters Laboratory, which tests electrical devices, but will focus on issues related to medical device cybersecurity and privacy.

Nice, said Billy (BK) Rios, a researcher with WhiteScope. Along with Dr Jonathan Butts, Rios recently published a study about more than 8,000 vulnerabilities in the code that runs in seven analyzed pacemakers from four manufacturers.

The Security Ledger quoted a statement from Rios:

[The WHISTL labs is] a huge step in the right direction. Patient encounters with connected yet poorly secured medical devices are increasing exponentially, and nobody really has a handle on the risks we’re facing.

He knows of which he speaks.

Take those Hospira LifeCare patient-controlled analgesia (PCA) pumps that Rios was picking apart for security flaws a few years ago.

He found flaws, in spades. As we explained at the time, the pump used so-called “drug libraries” – data that includes dosage limits to help ensure the pumps operate safely – that could be updated … by anybody… without authentication.

Rios had, back in May 2014, recommended that Hospira analyze other models of its infusion pumps to see if they shared the same vulnerabilities with the ones he had tested, but five months later, he heard that the company was “not interested in verifying that other pumps are vulnerable”.

One day, he found himself splayed out after surgery when he realized he was hooked up to one of those pumps. Any fuzzy feel-good he might have gotten from that trickle of pethidine must have dissipated like fairy dust.

It’s unfortunate that the maker wasn’t particularly interested in checking on vulnerabilities in its other pump models, in light of the fact that those flaws got worse still.

A year later, Rios looked at more Hospira LifeCare PCA pumps and found far more serious vulnerabilities than the ones he tested in the previous year: vulnerabilities that would, in fact, allow somebody to remotely change drug doses, as well as tweak maximum permitted doses and let through a fatal overdose.

That’s just one of many stories about the lack of security in medical devices.

Benjamin G. Esslinger, a Clinical Engineer at Eskenazi Health, said that the resources of the WHISTL labs are what we need to get to best practices for medical device cybersecurity.

Ambitious initiatives like WHISTL are sorely needed, and I look forward to supporting MDISS in this undertaking. Through our over-dependence on undependable things, we have created the conditions where accidents and adversaries can have a profound impact on public safety and human life.

According to Security Ledger, WHISTL labs will be one of a rare breed: an independent, non-profit network of labs specifically designed for the needs of the medical field, including medical device designers, hospital IT, and clinical engineering professionals.

The tools it will use to assess device security include fuzzing – that’s a way of robotically bombarding software with random data in an attempt to cause the sort of unusual crashes and errors that mimic how programs behave under real-world use – static code analysis and penetration testing.

WHISTL labs will identify and mitigate security flaws, reporting them directly to manufacturers. It will also educate professionals and device-makers about device security and security best practices. Flaws will also be publicly disclosed to the international medical device vulnerability database (MDVIPER), which is maintained by MDISS and the National Health Information Sharing and Analysis Center (NH-ISAC).

Ten new device testing labs are slated to open by the end of the year, in US states including New York, Indiana, Tennessee and California. Outside of North America, it will open labs in the UK, Israel, Finland, and Singapore. Other facilities will be announced in the coming weeks.