The Medical Device Innovation, Safety and Security Consortium (MDISS) has already launched the World Health Information Security Testing Lab (WHISTL) in the US, which examines complex multi-vendor, multi-device critical care environments like hospital intensive care units, operating theatres and emergency rooms.
The facility is the first of more than a dozen planned device security testing labs and cyber-ranges.
The new WHISTL facilities will include a federated network of medical device security testing labs, independently owned and operated by MDISS member organisations.
Each facility will launch and operate under a shared set of operating procedures. WHISTL facilities will help organisations work together to effectively address the public health challenges arising from cybersecurity issues emergent in complex, multi-vendor networks of medical devices.
While such security ‘proving grounds’ aren’t new to enterprise IT, the MDISS says that WHISTL is the first network of labs specifically designed around the needs of medical device researchers, healthcare IT professionals and hospital clinical engineering leaders. By the end of 2017, MDISS WHISTL facilities will open in New York, Indiana, Tennessee, California as well as in the UK, Israel, Finland and Singapore.
Benjamin Esslinger, CBET manager/clinical engineer at Eskenazi Health, said “Working with MDISS over the past year on WHISTL has helped us make real progress against some very complex risk scenarios, while keeping the focus on patient safety.”
Esslinger is the current 2017 Trustee and past President of the Indiana Biomedical Society. He works with Matthew S. Dimino, an Imaging Engineer at Eskenazi Health and educator at Indiana University - Purdue University Indianapolis.
Esslinger continued, “Remember, medical devices are still on the frontier of cybersecurity, and security best practices for devices are still maturing. Our new WHISTL facility enables us to run medical devices through tougher, more realistic test regimes. Hidden vulnerabilities surface more quickly, and that helps us build more responsive standard operating procedures.”
WHISTL facilities focus on identifying and mitigating medical device vulnerabilities, sharing solutions and best practices, and device security education and awareness. Newly uncovered vulnerabilities will be responsibly reported to device manufacturers and to the NHISAC-MDISS Medical Device Vulnerability Program for Evaluation and Response, or ‘MDVIPER’ at https://mdviper.org/.
Denise Anderson, president of NH-ISAC, said: "WHISTL will provide much-needed insight from actual developers and users of medical devices, which will result in increased relevant and actionable information sharing and situational awareness for all stakeholders in healthcare. NH-ISAC looks forward to partnering with MDISS on this important effort for the community.”
MDISS, under a $1.8M contract from the Department of Homeland Security (Science and Technology Directorate, Cyber Security Division) built the medical device cyber risk assessment platform, or ‘MDRAP’. The platform helps health systems, device manufacturers, and technology firms collaborate to produce and share device risk assessments. The fast-growing and standards-based MDRAP platform features moderated crowdsourcing and facilitates timely, responsible sharing of risk assessments and threat indicators, while helping automate critical device inventory, audit, oversight and vulnerability tracking tasks for hospitals.
Dr. Nordenberg, MD, Executive Director of MDISS, and former CIO at the National Centers for Disease Control’s National Center for Infectious Diseases, said: “MDISS WHISTL facilities will dramatically improve access to device security know-how while protecting patient privacy and stakeholder intellectual property. Solid cyber-lab governance will support an international-scale network of research and training centers of excellence, designed especially for medical device designers, hospital IT, and clinical engineering professionals.”