As the world rapidly embraces the Internet of Things[i], properly securing medical devices has grown challenging for most healthcare delivery organizations (HDOs).
That’s because medical devices, such as infusion pumps[ii], have evolved from standalone instruments that interacted only with the patient and a medical provider into devices that now connect wirelessly to a variety of systems, networks, and other platforms to enhance patient care, as part of the broader Internet of Medical Things (IoMT).
As a result, cybersecurity risks have risen. Wireless infusion pump ecosystems, which include the pump, the network, and the data stored in and on a pump, face a range of potential threats, such as unauthorized access to protected health information (PHI), changes to prescribed drug doses, and interference with a pump’s intended function.
In collaboration with the healthcare community and manufacturers, the NCCoE developed cybersecurity guidance, draft NIST Special Publication 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, which uses standards-based, commercially available technologies and industry best practices to help HDOs strengthen the security of wireless infusion pumps within healthcare facilities. The draft guide is now open for public comment.
“When we initially launched this project, we received more than 200 comments from interested parties. That’s when we realized the challenges involved in properly securing wireless infusion pumps were complex and significant. We ended up working with 14 technology and manufacturing collaborators and dozens of industry stakeholders to help healthcare delivery organizations reduce their risks,” said Gavin O’Brien, senior cybersecurity engineer at the NCCoE.
Composed of three parts, the first volume can help hospital administrators better understand the cybersecurity risks of wireless infusion pumps to the hospital enterprise. The second and third volumes detail the approach, risk assessment, standards and security control mappings, and an example implementation of securing the wireless infusion pump ecosystem.
Biomedical, networking and cybersecurity engineers, along with healthcare IT professionals, can use the second and third volumes to see how the NCCoE used commercially available or open source tools to help configure and deploy wireless infusion pumps. According to O’Brien, “The ultimate goal is to implement a defense-in-depth strategy to reduce the risks.”
O’Brien is confident the guide will provide valuable insights HDOs need to better secure their wireless infusion pump ecosystems. And, he explained, capabilities demonstrated by the NCCoE may also apply to other medical devices on wireless networks as well.
The new guide is the second produced by the NCCoE focused on the healthcare sector. The first, NIST Special Publication 1800-1: Securing Electronic Health Records on Mobile Devices (draft), was released in July 2015.
The guides do not endorse or dictate which products or designs should be used, but offer practical direction to help users better understand which security controls, standards, and capabilities will help them to achieve desired cybersecurity protections.
[i] IoT definition: the inter-networking of physical devices, vehicles, buildings, and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data. https://en.wikipedia.org/wiki/Internet_of_things
[ii] Defined by the Food and Drug Administration (FDA) as “a medical device that delivers fluids into a patient’s body in a controlled manner, either through the use of interconnected servers or via a standalone drug library-based medication delivery system.” https://www.fda.gov/medicaldevices/productsandmedicalprocedures/generalhospitaldevicesandsupplies/infusionpumps/default.htm