NIST Issues Draft Guidance for Wireless Infusion PumpsDescribes How to Secure Devices Using Commercial Products
New draft guidance from the National Institute of Standards and Technology calls for using commercially available, standards-based technologies to improve the security of wireless infusion pumps.
NIST issued a white paper on the same topic in 2014, but it was criticized for being too prescriptive (see Infusion Pump Security: NIST Refining Guidance).
Wireless infusion pumps are commonly used medical devices that can be potentially vulnerable to accidental and malicious tampering, posing both data security and patient safety risks.
In fact, certain infusion pumps from Hospira were the subject of two 2015 alerts from the Food and Drug Administration following the discovery by independent researchers of cyber vulnerabilities. But there have been no documented cases of patients being harmed as a result of an infusion pump, or other medical device, being hacked.
Phil Curran, CISO at Cooper Health, a healthcare system based in Camden, New Jersey, notes that any device with an operating system that's connected to a network poses a risk to an organization. "One issue with wireless infusion pumps is the large number of pumps an organization maintains," he says. "These large numbers provide an extensive attack surface that, when coupled with vulnerabilities in the pumps' operating system, the hospital network, etc., pose not only a threat to the data but also pose a threat to patient safety if, for example, dosages are changed on the pump."
The draft guidance, Securing Wireless Infusion Pumps In Healthcare Delivery Organizations, issued by NIST's National Cybersecurity Center of Excellence, or NCCoE, notes: "As internet of medical things grows, cybersecurity risks have risen. ...This has created a new source of risk for the safe operation of medical devices. ... The infusion pump ecosystem - the pump, the network, and the data stored in and on a pump - face a range of threats, including unauthorized access to protected health information, changes to prescribed drug doses, and interference with a pump's function."
Keith Fricke, principle consultant at tw-Security, says that an improperly safeguarded infusion pump may be susceptible to unauthorized electronic access. "Consequently, the act of accessing the device could put it in an inoperable or unstable state," he says. "The security risk is the potential for unauthorized access to any patient data that may reside on or in the device. In addition, the compromised device could potentially be used as a stepping stone into other parts of the network to which the device is connected."
The new guidance was prepared by NIST's NCCoE with collaboration from several medical device makers - including Hospira, Baxter Healthcare and Becton, Dickinson and Co., among others - and input from security vendors and consultancies, including Symantec, DigiCert, Cisco, Mitre and Clearwater Compliance. NIST is accepting public comments on the draft until July 7.
Infusion Pump Security Challenges
In its draft guidance, NIST notes that wireless infusion pumps are challenging to protect. "They can be infected by malware, which can cause them to malfunction or operate differently than originally intended. And traditional malware protection could negatively impact the pump's ability to operate efficiently."
Wireless infusion pumps connect to a variety of healthcare systems, networks, and other devices, the guidance notes.
"Although connecting infusion pumps to point-of-care medication systems and electronic health records can improve healthcare delivery processes, using a medical device's connectivity capabilities can create significant cybersecurity risk, which could lead to operational or safety risks," the guidance says.
Tampering with a wireless infusion pump ecosystem can expose a healthcare enterprise to serious risks, such as access by malicious actors; loss or corruption of enterprise information and patient data and health records; a breach of protected health information; loss or disruption of healthcare services; and damage to an organization's reputation, productivity and revenue, the guidance notes.
The 354-page guidance document says that NCCoE "developed an example implementation that demonstrates how healthcare delivery organizations can use standards-based, commercially available cybersecurity technologies to better protect the wireless infusion pump ecosystem, including patient information and drug library dosing limits."
It includes an example solution that starts with two types of risk assessments: An industry analysis of risk and a questionnaire-based-risk assessment. "With the results of that assessment, we then used a defense-in-depth strategy to secure the pump, server components, and surrounding network to create a better protected environment for wireless infusion pumps," NIST notes.
The solution and architectures described by NIST in the guidance "are built upon standards-based, commercially available products and represent one of many possible solutions and architectures. The example implementation can be used by any organization that is deploying wireless infusion pump systems and is willing to perform their own risk assessment and implement controls based on their risk posture."
Cooper Health's Curran says the new guidance "will allow us to baseline how we have implemented our infusion pump architecture against an architecture developed by professionals from many fields. By using commercial products, their implementation could show us how we can utilize the commercial products we use to better implement controls."
Meanwhile, Fricke notes that the guidance defines a way to evaluate risks, which leads to helping create a risk management plan. "Organizations now have a NIST publication to align with when trying to garner support for the effort necessary to manage infusion pump risks," he says. "The information contained in the publication can be used as a model for identifying and managing the risk of other types of biomed devices."
The NIST guidance is broken into several sections, including a chapter on "how business decision makers, program managers, information technology professionals - for example, systems administrators - and biomedical engineers - might use each volume of the guide."
Other sections include:
- Risk Assessment and Mitigation: Highlights the risks identified and potential response and mitigation efforts;
- Architecture: Describes the usage scenarios supported by project security platforms, including NIST cybersecurity framework functions supported;
- Life Cycle Cybersecurity Issues: Discusses cybersecurity considerations from a product life cycle perspective including;
- Security Characteristics Analysis: Provides details about the tools and techniques guidance collaborators used to perform risk assessments pertaining to wireless infusion pumps;
- Functional Evaluation: Summarizes the test sequences employed to demonstrate security platform services;
- Future Build Considerations: Offers a brief treatment of other applications that NIST might explore in the future to further support wireless infusion pump cybersecurity.
NIST notes that while NCCoE used a suite of commercially available tools and technologies to address wireless infusion pump cybersecurity challenges, "this guide does not endorse any specific products, nor does it guarantee compliance with any regulatory initiatives."
Bill Aerts, the former global privacy and security officer at device maker Medtronic, notes that the NIST NCCoE "is a group that focuses on developing secure environments for specific medical devices using existing technologies. I have faith that a rigorous process was used to develop this profile for wireless infusion pumps, but I can't go any further or endorse it since I wasn't involved."
Curran says efforts to bolster the security of medical devices are critical.
"What we have to do as information security and IT professionals is to architect solutions for these devices that allow the healthcare organization to use these tools to facilitate treating patients while maintaining the security and privacy of the device to properly protect both the institution and the patient."