Virta Labs Blog


Why Penetration Testing in Healthcare Isn't Enough

Posted by Ben Ransford on Jun 26, 2017 4:01:00 AM

That thumping sound is the drumbeat of healthcare cybersecurity news stories. Ransomware, malware, spyware, records theft, covered entities, breaches. Suddenly hospital board members are asking questions about cybersecurity preparedness. That's healthy.

When the board starts knocking, well-meaning CISOs and security teams spring into action, ordering up assessments and other services from a growing cottage industry of third-party security consultants. That's healthy too — healthcare is one of many industries that needs an ecosystem of support around security activities.

The best assessments are sound, complete, and actionable. The worst ones ain't.

Given a statement of work from a third-party assessor, how can you tell whether it's sound, complete, and actionable? That's for a forthcoming post. This post is about one kind of unhelpful assessment: the kind that's only a penetration test.

Read More

Topics: Clinical Cybersecurity, Connected Medical Devices, Medical Device Risk Assessments

Virta Labs at AAMI 2017: Bridging the Gap

Posted by Ben Ransford on Jun 12, 2017 7:53:10 PM

Clinical engineers (CE) and biomeds need to be in the loop if healthcare organizations can hope to address cybersecurity risks.

Read More

Topics: Inventory Management, Clinical Cybersecurity, Healthcare IT

Cybersecurity and Medical Devices: A Practical Guide for Cardiac Electrophysiologists

Posted by Ben Ransford on May 18, 2017 5:32:45 AM

Clinicians now have a peer-reviewed guide from a medical journal on how to evaluate when a medical device security problem translates into a clinical risk. 

There's been a lot of confusion on risk management for pacemaker and defibrillator security because of the difficulty in explaining medical device security in the context of patient safety and risk management. We are pleased to announce our latest publication on the science and engineering to assess risks of medical device security. Led by Virta Labs, the peer-reviewed paper published in Pacing and Clinical Electrophysiology (PACE) is co-authored by researchers (including four PhDs and two MDs) with backgrounds in electrical engineering, computer science, IT security, and electrophysiology from Virta Laboratories, Beth Israel Deaconess Medical Center, the Mayo Clinic, Zhejiang University, the University of South Carolina, and the University of Michigan Health System.

Read More

Topics: Clinical Cybersecurity

Not All Heroes Wear Suits: Finding Risks Before Attackers Do

Posted by Ben Ransford on May 16, 2017 3:35:00 AM

(This post is part 2 of 2.  Yesterday we wrote about the unfair fight between attackers and defenders.  Today: simple tools and techniques.)


If you WannaCry after this weekend's explosion of worm-ridden ransomware afflicting healthcare providers, go ahead; you're not alone.

The good news is that there are concrete steps you can take to assess your organization's level of exposure to WannaCry a

nd the vulnerability it exploits.  In this post, we'll share some free, basic tests you can perform using tried-and-true open-source tools.  We sell fancy tools to collect and assess networked clinical device inventory, but as technologists and IT administrators ourselves, we're always inclined toward whatever tools get the job done fastest.  In this post we'll cover a simple set of tests that you can start running in under a minute.

Read More

Topics: Ransomware, Asset Management, Clinical Cybersecurity