The National Cybersecurity Center of Excellence (NCCoE) announced in August that it has finalized the draft guidance it first issued in May of last year on securing wireless infusion pumps. Infusion pumps are often tasked with supplying a steady inflow of life-saving or life-sustaining medications, and their exposure to the internet comes with risks of malicious manipulation with risks of patient harm, data breaches, and risks to an entire organization’s computer system.

The risks of wireless medical devices have received dramatic attention, including in the episode in the Homeland series where a hacked cardiac pacemaker was manipulated to assassinate the Vice President. In September of 2017, the FDA issued a recall for almost a half million pacemakers, and in the same month there was news about infusion pumps vulnerability. The FDA has been issuing guidance about the risks associated with infusion pumps and has a webpage dedicated to this issue.

The new NCCoE guidance is geared for the clinical and administrative leadership of health care organizations, as well as the IT staff who run their computer networks. The IT professionals will find reams of detailed information about the features that can be employed to secure infusion pumps; and the guidance stresses that the architecture for these solutions uses commercially available hardware and software, and was developed with input from the vendors. Security professionals will want to study the entire 375-page report, but for a good visual representation of the suggested system architecture, consult the second page of NCCoE’s Summary which is linked on the webpage where NCCoE’s guidance is available.

The Key takeaway of the guidance for the clinical and administrative staff is understanding the common vulnerabilities of these devices, which are distilled in Appendix B on pages 76-77:

Appendix C in the Report contains a concise 2-page set of Recommendations and Best Practices, starting with the need to create and maintain a thorough inventory of medical devices throughout the organization, and implementing a variety of measures for all the devices, including:

Finally, while emphasizing that the threat landscape is constantly evolving, the guidance also spotlights the repository of vulnerability management data that is maintained and updated at the National Vulnerability Database for information security professionals to access and use.

NCCoE is inviting comments on the guidance. To provide comments or to learn more, including how to arrange a demonstration of this example implementation, contact the NCCoE at: hit_nccoe@nist.gov.

◀︎ Back to Thought Leadership