On May 8, 2017, the National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), released a new draft NIST Cybersecurity Practice Guide (SP 1800-8) entitled “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.” The purpose of the new guidance is to address the security flaws in external infusion pumps in the healthcare industry, and provide engineers and IT professionals a roadmap for how they can securely configure and deploy wireless infusion pumps by using “standards-based commercially available technologies and industry best practices[.]” NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sector, and are intended to serve as practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They do not describe regulations or mandatory practices. Nor do they carry statutory authority. NIST is accepting public comment on the new draft guidance through July 7, 2017.
Overview Of Draft Guidance
Infusion pumps are defined by the FDA as a medical device that delivers fluid into a patient’s body in a controlled manner. Once standalone instruments that interacted with the patient or medical provider only, infusion pumps are now connected to a variety of systems and networks, contributing to what NIST calls the Internet of Medical Things (IoMT). This new connectivity brings with it benefits and challenges. Although connecting fusion pumps to point-of-care medication systems and electronic health records can improve the healthcare delivery process, it can also create significant cybersecurity risk that could lead to operational or safety risks. Specifically, tampering with the wireless infusion pump ecosystem can expose a healthcare provider to:
- Access by malicious actors;
- Loss or corruption of enterprise information and patient data and health records;
- A breach of protected health information;
- Loss or disruption of healthcare services; or
- Damage to an organization’s reputation, productivity, and bottom-line revenue.
Key Takeaways From New Draft Guidance
The new guidance is written from a how-to perspective, providing details on how to install, configure and integrate components. It is therefore primarily intended for professionals implementing security solutions within a healthcare organization, such as biomedical, networking and cybersecurity engineers and IT professionals who are responsible for securing and configuring wireless infusion pumps. The new guidance maps out the security characteristics of wireless infusion pump ecosystems to currently available cybersecurity standards and the HIPAA Security Rule, and applies “security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors.”
NIST claims organizations will, if they adopt the new guidance:
- Reduce cybersecurity risk, and potentially reduce impact to safety and operational risk, such as the loss of patient information or interference with the standard operation of a medical device;
- Develop and execute a defense-in-depth strategy that protects the enterprise with layers of security to avoid a single point of failure and provides strong support for availability; and
- Implement current cybersecurity standards and best practices, while maintaining the performance and usability of wireless infusion pumps.
A copy of the draft guidance is here. If you or your business are interested in submitting public comments in response to the new draft guidance, the Dentons Privacy and Cybersecurity Group can help. We are also prepared to assist your organization in navigating the new draft guidance and securing your networked devices against the constantly evolving threat landscape.