U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Securing Wireless Infusion Pumps

Unlike prior medical devices that were once standalone instruments, today’s wireless infusion pumps connect to a variety of healthcare systems, networks, and other devices. Although connecting infusion pumps to point-of-care medication systems and electronic health records can improve healthcare delivery processes, this can also increase cybersecurity risk. 

Cybersecurity Guidance for adding security controls to a wireless infusion pump’s ecosystem to create a ‘defense-in-depth’ solution.

This NIST guidance provides best practices and detailed guidance on how to manage assets, protect against threats, and mitigate vulnerabilities by performing a questionnaire-based risk assessment. In addition, the security characteristics of a wireless infusion pump’s ecosystem are mapped to currently available cybersecurity standards and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  
Status: Finalized Practice Guide
Complete Guide (HTML)Web Version Complete Guide (HTML)
Complete Guide (PDF)Document Version Complete Guide (PDF)
Executive SummaryDocument Version Executive Summary
Approach, Architecture, and Security CharacteristicsDocument Version Approach, Architecture, and Security Characteristics
How-To GuidesDocument Version How-To Guides

The NCCoE released a final version of the NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations. For ease of use, the guide is available to download or read in volumes.

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

Project Abstract

Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. However, today’s medical devices connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization (HDO). Connecting devices to point-of-care medication systems and electronic health records can improve healthcare delivery processes; however, increasing connectivity capabilities also creates cybersecurity risks. Potential threats include unauthorized access to patient health information, changes to prescribed drug doses, and interference with a pump’s function. 

The NCCoE analyzed risk factors in and around the infusion pump ecosystem by using a questionnaire-based risk assessment to develop an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem, including patient information and drug library dosing limits. 

This practice guide will help HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of wireless infusion pumps. 

The NCCoE analyzed risk factors in and around the infusion pump ecosystem by using a questionnaire-based risk assessment to develop an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem, including patient information and drug library dosing limits. 

View the Interactive Practice Guide

The NCCoE has released an interactive version of the NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery. Use the button below to view this resource.

Access the guide
Visualization homepage

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

 

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member of this project's COI.

Request to Join
Employee speaking on video call with colleagues on online briefing with laptop at home

Learn More About This Project

The NCCoE has developed cybersecurity guidance to help healthcare delivery organizations protect their networks and data. Watch this short video to learn more.