- A new risk assessment project designed for monitoring wireless IV medical infusion pumps hopes to further strengthen medical device cybersecurity across the healthcare industry.
The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) is working with Clearwater Compliance to investigate how best to improve the wireless IV medical infusion pump security. Furthermore, NCCoE and Clearwater want to increase organizations’ cyber risk assessment and management capability.
Gavin O’Brien, senior cybersecurity engineer with NCCoE discussed the partnership with HealthITSecurity.com and what it means for medical device cybersecurity.
NCCoE’s vision is to advance cybersecurity, he explained. The center is really trying to secure cybersecurity infrastructure and inspire technological innovation to help foster economic growth.
Medical infusion pumps, which are often referred to commonly as an IV, infuse drugs into the body. For this particular project, it was important to look at the full life cycle of the infusion pump, O’Brien said.
“In healthcare, devices have a long shelf life, and there’s also a decommissioning of the device,” he stated. “If it has PHI you need to remove that so you don’t violate HIPAA. There is a full life cycle to the pump.”
As technology has evolved, the pumps now utilize wireless technology. This is great for providers because there is less maintenance involved, O’Brien said. Software updates can be pushed to them, rather than doing them manually. In newer models, the dosing information can also potentially be sent wirelessly.
However, this also created a huge threat vector in terms of that wireless component.
The collaboration will also improve wireless IV medical infusion pump security by allowing NCCoE to more effectively understand the hospital CIO culture and how to effectively communicate and apply best practices to this audience, Clearwater Compliance CEO Bob Chaput explained in an email to HealthITSecurity.com.
“NIST has reached out to the industry now and has turned this research topic into a consortium, rather than historically trying to solve this problem independently,” he said. “Instead of making this a government mandate, they are trying to determine best practices, based on real world examples.”
Medical wireless IV infusion pump design vulnerabilities have proven to be exploitable, Chaput added. Those vulnerabilities could impact both patient safety and hospital liability.
“The Department of Homeland Security (ICS-CERT) and the Food and Drug Administration (FDA) have issued alerts and advisories on specific pump vulnerabilities,” he stated. “Historically, pump design has not included cybersecurity safeguards as a significant consideration. The FDA has recommended pump manufacturers adopt the NIST CSF for premarket cybersecurity design.”
Providers and manufacturers need to work together
The short term goal is to establish a “consortium” of government and industry resources in a collaborative research and development agreement that will create a “Use Case” document and NIST Practice Guide for healthcare CIOs and CISOs, Chaput explained.
In the long-term, the goal is to demonstrate and share a security SaaS platform that would allow healthcare providers to secure their medical devices on an enterprise network, with a specific focus on wireless infusion pumps.
O’Brien added that the healthcare industry has created a massive network of various devices. Both manufacturers and providers are creating and using various pieces of technology to save lives. However, it is essential that both sides are able to work together and find the right balance between innovation and security.
“On the one hand, manufacturers build products that infuse drugs into patients and did that well,” O’Brien said. “But now that everything has a computer on it, they added their wireless component, so these devices need to consider cybersecurity.”
On the other hand, providers have created a complicated “system of systems” and they also need to be concerned about cybersecurity. There is a gap though on how each party should go to cover their particular device, or to know where to draw the boundaries with regard to medical devices.
“The provider would love devices to come to them and be fully secure,” O’Brien pointed out. “Whereas manufacturers would rather focus on the specifics of what their device does and have the provider create an environment where they don’t have to deal with security. Obviously the answer to this is somewhere in between. Finding that right balance.”
For short term goals, O’Brien explained that they hope to assist providers in shoring up their systems. Covered entities may have the necessary tools in place already, but just need to do a better job of utilizing them. In the long term, providers may need to acquire better software and tools to ensure they can provide proper care.
For manufactures, O’Brien also said that having a set of standard cybersecurity features would be beneficial. Essentially, setting a minimum bar for what should be expected to have on a pump to make them secure.
The importance of understanding potential security risks
While hackers have shown that there are security exploits that could be taken advantage of, O’Brien explained that all of the circumstances would have to be aligned. The potential may be there, but he does not believe that infusion pumps have had an adverse event take place.
“One of the messages we’re trying to get across is that the bar on the part of the pump manufacturer needs to rise, and they need to provide some feature sets to help cybersecurity,” he stated. “But also that the provider has a lot of compensating controls that they can apply that can secure these pumps. By raising the bar of both of these groups, a lot of these issues will not be a problem in the future.”
The fact that a hacker can potentially remotely alter the dosage and raise the dosage limit on medical delivered to a patient is one of the larger security risks with medical infusion pumps, Chaput added, saying that the potential to affect lives is especially dangerous.
“Security vulnerabilities with medical wireless IV infusion pumps put lives at risk,” he stated. “Anyone can tap into devices and cause fatal disruptions.”
The future of medical device cybersecurity
Some of the greatest challenges to patient safety are the improper implementations of technology, as well as there being an outdated understanding of the best approach, according to Chaput.
“There is a fundamental need to develop practical cybersecurity approaches that address the real world needs of complex Health Information Technology (HIT) systems,” he said.
O’Brien added that healthcare IT spending models may need to change in order to keep cybersecurity measures current.
Companies in other sectors will typically spend around 11 percent of their budget on IT or IT-related costs, he said. Healthcare on the other hand spends closer to 4 percent. That model will need to change, but it can be difficult as healthcare IT departments often have to justify their spending needs.
For example, a physician may want to buy a new machine, while an IT manager wants new scanning software or wishes to update the network. It can be difficult to compete against physicians in that respect.
“They have to be savvy in explaining to folks who may not know about cybersecurity about what the value is on updating cybersecurity-related devices or systems.”