Virta Labs Blog


Medical Device Discovery & Identification are Now Free and Open Source

Posted by Ben Ransford on Jan 3, 2019 4:30:00 PM

Happy new year! We brought you a present. Today we're open-sourcing Tapirx, our tool to passively discover and identify medical devices on clinical (or any) networks.

Read More

Topics: Legacy Medical Devices, Network Assets, Asset Discovery, Connected Medical Devices

Orangeworm and the Value of Consent Data

Posted by Ben Ransford on Apr 24, 2018 12:44:45 PM

Modern Healthcare, among other outlets and blog posts, is reporting that a hacker group dubbed "Orangeworm" has been planting malware on medical devices that are critical to patient care.  This post adds some perspective about some potential motivations and offers starting points for healthcare providers to respond.

Modern Healthcare says:

Read More

Topics: Breaches, Clinical Information Security, Networked Medical Devices, Hospital Cybersecurity

Between the Lines at HIMSS18

Posted by Ben Ransford on Mar 12, 2018 9:08:09 AM

Cybersecurity was a big theme at this year's HIMSS expo. Beckers' summary is nice.

On the one hand, everybody wants their healthcare organizations to act faster on cybersecurity. The drumbeat keeps getting louder, and everyone hopes they won't be the next to be in the news. Some analysts say the reputational cost of a breach can be ten times the size of initial fines over an uncomfortable period of years.

On the other hand, organizations of every size are having a hard time getting started. The number one reason? Budget. Security ROI arguments are famously hard to make, because what's the monetary value of something bad not happening, when it might not have happened anyway, for free? In the battle of abstract versus concrete, concrete always wins.

Read More

Topics: Medical Device Security, Healthcare IT

Hello, Fellow!

Posted by Ben Ransford on Dec 4, 2017 2:18:48 PM
Read More

Topics: IEEE, Kevin Fu

Should I 510(k) or Should I Go? What New FDA Guidance Means and Why it Matters

Posted by Ben Ransford on Oct 27, 2017 4:30:00 AM

This week FDA released several crucial guidance documents that are strongly relevant to cybersecurity. In regulatory fashion, the documents have very different names and are easy to tell apart, making it easy to talk about them at the same time.

Read More

Topics: Medical Device Security, IoT, Connected Medical Devices

Why Penetration Testing in Healthcare Isn't Enough

Posted by Ben Ransford on Jun 26, 2017 4:01:00 AM

That thumping sound is the drumbeat of healthcare cybersecurity news stories. Ransomware, malware, spyware, records theft, covered entities, breaches. Suddenly hospital board members are asking questions about cybersecurity preparedness. That's healthy.

When the board starts knocking, well-meaning CISOs and security teams spring into action, ordering up assessments and other services from a growing cottage industry of third-party security consultants. That's healthy too — healthcare is one of many industries that needs an ecosystem of support around security activities.

The best assessments are sound, complete, and actionable. The worst ones ain't.

Given a statement of work from a third-party assessor, how can you tell whether it's sound, complete, and actionable? That's for a forthcoming post. This post is about one kind of unhelpful assessment: the kind that's only a penetration test.

Read More

Topics: Clinical Cybersecurity, Connected Medical Devices, Medical Device Risk Assessments

Virta Labs at AAMI 2017: Bridging the Gap

Posted by Ben Ransford on Jun 12, 2017 7:53:10 PM

Clinical engineers (CE) and biomeds need to be in the loop if healthcare organizations can hope to address cybersecurity risks.

Read More

Topics: Inventory Management, Clinical Cybersecurity, Healthcare IT

Cybersecurity and Medical Devices: A Practical Guide for Cardiac Electrophysiologists

Posted by Ben Ransford on May 18, 2017 5:32:45 AM

Clinicians now have a peer-reviewed guide from a medical journal on how to evaluate when a medical device security problem translates into a clinical risk. 

There's been a lot of confusion on risk management for pacemaker and defibrillator security because of the difficulty in explaining medical device security in the context of patient safety and risk management. We are pleased to announce our latest publication on the science and engineering to assess risks of medical device security. Led by Virta Labs, the peer-reviewed paper published in Pacing and Clinical Electrophysiology (PACE) is co-authored by researchers (including four PhDs and two MDs) with backgrounds in electrical engineering, computer science, IT security, and electrophysiology from Virta Laboratories, Beth Israel Deaconess Medical Center, the Mayo Clinic, Zhejiang University, the University of South Carolina, and the University of Michigan Health System.

Read More

Topics: Clinical Cybersecurity

Not All Heroes Wear Suits: Finding Risks Before Attackers Do

Posted by Ben Ransford on May 16, 2017 3:35:00 AM

(This post is part 2 of 2.  Yesterday we wrote about the unfair fight between attackers and defenders.  Today: simple tools and techniques.)


If you WannaCry after this weekend's explosion of worm-ridden ransomware afflicting healthcare providers, go ahead; you're not alone.

The good news is that there are concrete steps you can take to assess your organization's level of exposure to WannaCry a

nd the vulnerability it exploits.  In this post, we'll share some free, basic tests you can perform using tried-and-true open-source tools.  We sell fancy tools to collect and assess networked clinical device inventory, but as technologists and IT administrators ourselves, we're always inclined toward whatever tools get the job done fastest.  In this post we'll cover a simple set of tests that you can start running in under a minute.

Read More

Topics: Ransomware, Asset Management, Clinical Cybersecurity

Be the Hero of Your Weekly Ransomware Staff Meeting

Posted by Ben Ransford on May 15, 2017 3:25:00 AM

(This post is part 1 of 2.  Tomorrow we'll talk about how we coax identifiers out of clinical devices.)

This week's outbreak of click-less ransomware has not been kind to continuity of hospital operations. The bad guys on the outside know the cybersecurity risks of the clinical networks better than the good guys on the inside. That's not a fair fight. How do the bad guys write such infectious malware?  Thanks to easily used tools and public information sources, They know your inventory of software better than you do.

So here's a recommended script for your 7AM emergency cabinet meetings:

1. Offer 60 seconds for your staff to complain about ransomware.

Share a couple horror stories and anecdotes of dodged ransomware bullets. Then stop admiring the problem and focus on your own assets.

2. Biomedical engineering and the IT department need to be on the same page.

In our experience, the best prepared hospitals have a collaborative culture between biomedical engineering and IT. Maybe IT tipped over radiology a few times while trying to "help" biomedical engineering with vulnerability scanning. Don't blame people; you need to work together to continuously assess your population of devices because otherwise the bad guys are going to do it anyway, and not share the results with you. 

If your governance structure leads to in-fighting over responsibility and accountability for cybersecurity of networked medical devices, then your governance is broken. If your management does not provide a cybersecurity budget close to the industry standard for health systems, then maybe the Board needs a shake-up (4% of the IT budget is sad, 11% of the IT budget means you worry about nation state threats).

The CEO needs to empower an executive or manager who understands both IT and clinical risk to make cybersecurity decisions. Examples of potential candidates: a nurse with a degree in management of IT systems will likely understand the importance of safety and health outcomes in the context of cybersecurity. An IT manager who volunteers as an EMT will better understand that IT security is a means to an end, and that security must support safe delivery of healthcare.

3. Fix your networked medical device inventory by fixing the process.

Within a hospital, biomedical engineering often owns the database of medical devices for the Joint Commission certification of 99% accuracy of inventory of life-sustaining devices, but IT owns the databases of network inventory. The days of separately managed data ended when your medical devices joined the network. You have to do both at the same time to understand what networked medical device assets are at risk. We find the most mature healthcare systems follow the NIST cybersecurity framework to first enumerate the risks of assets (both tracked assets and shadow IT). Only after getting solid coverage of the asset population can one make risk-based and business-based decisions on how to compensate for security deficiencies in medical devices. Hire an expensive consulting team or buy a product from any healthcare cybersecurity vendor to get a grip on your inventory and prioritized remediations and compensating controls. The third step is most forgotten: continuously measure the effectiveness of your compensating controls because the bad guys certainly do. No security solution will last in perpetuity, so you must constantly verify controls and adapt to shifting threats and new vulnerabilities. But do so in a risk-based manner focused on essential clinical performance. Do not fetishize cybersecurity, for it is merely a means to and end for safe and highly available delivery of healthcare.

Read More

Topics: Ransomware, Asset Discovery