September 5, 2018

The unprecedented connectivity of today’s wireless infusion pumps with healthcare systems, networks and other medical devices enhances the efficiency and quality of care. However, that same connectivity exposes healthcare organizations and patients to a slew of new cybersecurity risks.  These risks range from access and tampering by malicious actors, breaches of electronic protected health information (ePHI) and service disruptions, to revenue and productivity losses and reputation damage.

As the use of infusion pumps, including wireless infusion pumps, grows in healthcare with the aging of the population and other drivers, the need to secure those devices against cyberattacks accelerates as well.

The National Cybersecurity Center of Excellence (NCCoE) of the U.S. Department of Commerce’s National Institute for Standards and Technology (NIST) has published cybersecurity guidance, NIST Special Publication 1800-8, Securing Wireless Infusion Pumps. The complete guide is available here.

In its Executive Summary, the publication cites a report from the Association for the Advancement of Medical Instrumentation highlighting the cybersecurity risks posed by the growth of the internet of things (IoT), including the internet of medical things (IoMT). In addition to unauthorized access to ePHI, the wireless infusion pump ecosystem (the pump, the network, and the data stored in and on a pump) faces such threats as changes to prescribed drug doses and interference with a pump’s function.

Developed in collaboration with numerous technology vendors, the publication presents industry best practices for securing the wireless infusion pump ecosystem across healthcare facilities, maps the ecosystem’s security characteristics to current cybersecurity standards and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and includes a questionnaire-based risk assessment to help organizations reduce vulnerabilities and manage assets.

Participants submitted responses to an open call in the Federal Register, and signed a Cooperative Research and Development Agreement (CRADA) to collaborate with NIST in a consortium to build the example solution featured in the guide.  Among other things, the guide helps organizations develop and execute a “defense-in-depth” strategy to protect the enterprise with layers of security to avoid a single point of failure.

NCCoE notes that it does not endorse any of the products made by vendors who participated in the guide’s featured solution, nor guarantee compliance with any regulatory initiatives, but rather, encourages organizations’ information security professionals to identify products that will best integrate with existing tools and IT system infrastructure. “Your organization can adopt this solution or one that adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and implementing parts of a solution,” the report states.

For ease of use, the guide is also available to read in the following volumes:

• SP 1800-8A: Executive Summary (PDF) (web page)
• SP 1800-8B: Approach, Architecture, and Security Characteristics (PDF) (web page)
• SP 1800-8C: How-To Guides (PDF) (web page)

NCCoE has also developed the following guides for the healthcare sector:

Securing Electronic Health Records on Mobile Devices, available here

Securing Picture Archiving and Communication System, available here