- The National Cybersecurity Center of Excellence (NCCoE) recently released a draft of the NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, to help improve medical device security.
NCCoE collaborated with the Technological Leadership Institute at the University of Minnesota to ensure that wireless medical infusion pumps are properly secured.
“Unlike prior medical devices that were once standalone instruments, today’s wireless infusion pumps connect to a variety of healthcare systems, networks, and other devices,” NCCoE explained on its website. “Although connecting infusion pumps to point-of-care medication systems and electronic health records can improve healthcare delivery processes, this can also increase cybersecurity risk, which could lead to operational or safety risks.”
Furthermore, wireless pump tampering can expose a healthcare delivery organization (HDO) to serious risks, such as PHI exposure or a loss or disruption to healthcare services.
The guide provides guidance and overall best practices for managing assets, protecting against threats and mitigating vulnerabilities by taking a questionnaire-based risk assessment. Wireless infusion pump security characteristics are also put to current cybersecurity standards and the HIPAA Security Rule, NCCoE maintained.
“Based on our risk assessment findings, we apply security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors,” the organization stated. “Ultimately, we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.”
Organizations can maintain the wireless infusion pump performance and usability while still implementing current cybersecurity standards, NCCoE said in a summary. The layered security approach is designed to “avoid a single point of failure and provide strong support for availability.”
A tiered risk management approach will also benefit organizations, the guide states. This involves reviewing the organization, the mission/business process, as well as the information system – the environment of operation.
“Vulnerabilities may be present in infusion pumps and their server components since these devices often include embedded operating systems on the endpoints,” NCCoE wrote. “Infusion pumps are designed to maintain a prolonged period of useful life, and, as such, may include system components (e.g., an embedded operating system) that may either reach end-of-life or reach a period of degraded updates prior to the infusion pump being retired from service. Patching and updating may become difficult over the course of time.”
Malicious software – including ransomware – could also render a device unable to perform its normal function. Malicious actors could also use an infusion pump as an access point to gain further access to hospital systems.
This is why a risk assessment and corresponding risk response strategy will greatly benefit HDOs as they work to create strong security measures for their devcies.
Medical device security, specifically within wireless medical infusion pump, has been a key focus for NCCoE for some time. In September 2016, NCCoE announced that it was working with Clearwater Compliance to investigate how best to improve the wireless IV medical infusion pump security.
The two organizations also wanted to increase organizations’ cyber risk assessment and management capability.
NCCoE Senior Cybersecurity Engineer Gavin O’Brien explained in an earlier interview with HealthITSecurity.com that NCCoE is trying to secure cybersecurity infrastructure and inspire technological innovation to help foster economic growth.
“In healthcare, devices have a long shelf life, and there’s also a decommissioning of the device,” he said. “If it has PHI you need to remove that so you don’t violate HIPAA. There is a full life cycle to the pump.”
Clearwater Compliance CEO Bob Chaput stated in an email that wireless IV medical infusion pump security will be improved with letting NCCoE more effectively understand the hospital CIO culture and how to effectively communicate and apply best practices to this audience.
“NIST has reached out to the industry now and has turned this research topic into a consortium, rather than historically trying to solve this problem independently,” Chaput explained. “Instead of making this a government mandate, they are trying to determine best practices, based on real world examples.”