Securing Wireless Infusion Pumps

Download the Practice Guide

The NCCoE has released the final version of NIST Cybersecurity Practice Guide SP 1800-8, Securing Wireless Infusion Pumps . Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »Open Web Version »

Current Status

The NCCoE released a final version of the NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations on August 17, 2018.  

For ease of use, the guide is available to download or read in volumes:

  • SP 1800-8A: Executive Summary (PDF) (web page)
  • SP 1800-8B: Approach, Architecture, and Security Characteristics (PDF) (web page)
  • SP 1800-8C: How-To Guides (PDF) (web page)

Or download the complete guide (PDF).

A  two-page fact sheet is also available for download.

If you have any questions or suggestions, please email us at hit_nccoe@nist.gov

Summary

Unlike prior medical devices that were once standalone instruments, today’s wireless infusion pumps connect to a variety of healthcare systems, networks, and other devices. Although connecting infusion pumps to point-of-care medication systems and electronic health records can improve healthcare delivery processes, this can also increase cybersecurity risk, which could lead to operational or safety risks. Tampering, intentional or otherwise, with the wireless infusion pump ecosystem can expose an HDO enterprise to serious risk factors, such as: access by malicious actors; a breach of protected health information; loss or disruption of healthcare services; and damage to an organization’s reputation, productivity, and bottom-line revenue.

SP 1800-8 provides best practices and detailed guidance on how to manage assets, protect against threats, and mitigate vulnerabilities by performing a questionnaire-based risk assessment. In addition, the security characteristics of wireless infusion pump ecosystem are mapped to currently available cybersecurity standards and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Based on our risk assessment findings, we apply security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors. Ultimately, we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

B. Braun
Baxter
BD
cisco logo
Clearwater Compliance
DigiCert
Hospira
Intercede
MDISS
PFP Cybersecurity
Ramparts Security logo
Smiths Medical
Symantec logo
TDI Technologies logo