Securing Wireless Infusion Pumps

Unlike prior medical devices that were once standalone instruments, today’s wireless infusion pumps connect to a variety of healthcare systems, networks, and other devices. Although connecting infusion pumps to point-of-care medication systems and electronic health records can improve healthcare delivery processes, this can also increase cybersecurity risk. 

Cybersecurity Guidance for adding security controls to a wireless infusion pump’s ecosystem to create a ‘defense-in-depth’ solution.

This NIST guidance provides best practices and detailed guidance on how to manage assets, protect against threats, and mitigate vulnerabilities by performing a questionnaire-based risk assessment. In addition, the security characteristics of a wireless infusion pump’s ecosystem are mapped to currently available cybersecurity standards and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-8: Complete Guide (HTML)Web Version NIST SP 1800-8: Complete Guide (HTML)
NIST SP 1800-8: Complete Guide (PDF)Document Version NIST SP 1800-8: Complete Guide (PDF)
NIST SP 1800-8A: Executive SummaryDocument Version NIST SP 1800-8A: Executive Summary
NIST SP 1800-8B: Approach, Architecture, and Security CharacteristicsDocument Version NIST SP 1800-8B: Approach, Architecture, and Security Characteristics

Project Abstract

Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. However, today’s medical devices connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization (HDO). Connecting devices to point-of-care medication systems and electronic health records can improve healthcare delivery processes; however, increasing connectivity capabilities also creates cybersecurity risks. Potential threats include unauthorized access to patient health information, changes to prescribed drug doses, and interference with a pump’s function. 

The NCCoE analyzed risk factors in and around the infusion pump ecosystem by using a questionnaire-based risk assessment to develop an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem, including patient information and drug library dosing limits. 

This practice guide will help HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of wireless infusion pumps. 

Read the project description

The NCCoE analyzed risk factors in and around the infusion pump ecosystem by using a questionnaire-based risk assessment to develop an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem, including patient information and drug library dosing limits. 

View the Interactive Practice Guide

The NCCoE has released an interactive version of the NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery. Use the button below to view this resource.

Access the guide
Visualization homepage

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

 

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name




Learn More About This Project

The NCCoE has developed cybersecurity guidance to help healthcare delivery organizations protect their networks and data. Watch this short video to learn more.