Virta Blabs

bac.jpg

Why Penetration Testing in Healthcare Isn't Enough

Posted by Ben Ransford on Jun 26, 2017 7:01:00 AM

That thumping sound is the drumbeat of healthcare cybersecurity news stories. Ransomware, malware, spyware, records theft, covered entities, breaches. Suddenly hospital board members are asking questions about cybersecurity preparedness. That's healthy.

When the board starts knocking, well-meaning CISOs and security teams spring into action, ordering up assessments and other services from a growing cottage industry of third-party security consultants. That's healthy too — healthcare is one of many industries that needs an ecosystem of support around security activities.

The best assessments are sound, complete, and actionable. The worst ones ain't.

Given a statement of work from a third-party assessor, how can you tell whether it's sound, complete, and actionable? That's for a forthcoming post. This post is about one kind of unhelpful assessment: the kind that's only a penetration test.

Read More

Topics: Clinical Cybersecurity, Connected Medical Devices, Medical Device Risk Assessments

Back to Business: Continuity of Clinical Operations

Posted by Ben Ransford on Sep 6, 2016 3:53:33 PM
Virta Labs provides a managed cybersecurity service to help hospitals manage their clinical assets and ensure continuity of operations. But our team has an interesting history: we coauthored the first research on cardiac implant security in 2008 and have published extensively on medical device security since then.  As a result, we recently received a flood of technical questions unrelated to our normal menu of services. Virta Labs engineers took time away from building BlueFlow to provide a seminar, white paper, and consultations and to develop our own scientific experimental methods. We're glad that the industry is developing interest in improving medical device security as we've urged for nearly a decade. While this was a necessary and important diversion for us, we are getting back to our core business and clinical tests of BlueFlow.

We have no financial relationship with Muddy Waters Research LLC, St. Jude Medical, or MedSec Ltd. We plan to release a peer-reviewed report shortly so that the greater community may analyze our findings and results.
Read More

Topics: Medical Device Security, Clinical Engineering, Healthcare IT, Asset Discovery, Medical Device Risk Scoring, Shadow IT, Vulnerability Scanning, Clinical Databases, Medical Device Risk Assessments