Wednesday, May 10, 2017

NIST issues new guidance for protecting wireless infusion pumps

The NIST (National Institute of Standards and Technology) has released latest guidance on protecting wireless infusion pumps in hopes of hardening the devices against the cyber attacks.

The federal agency released the directions in collaboration with the National Cybersecurity Center of Excellence (NCCoE), which is a unit within NIST. The NCCoE has developed a plan indicating providers how to use standards-based commercially available technology to secure wireless infusion pumps, patient data and drug library dosing limits.

Various significant vendors collaborated with NIST on the report. They involve B.Braun, Baxter, BD, Cisco, Clearwater Compliance, DigiCert, Hospira, Intercede, MDISS, PFP, RAMPARTS, Smiths Medical, Symantec and TD Medical.

The plan involves a questionnaire-based risk assessment mapping security characteristics to available cyber security standards as well as to the requirements of HIPAA security rule to apply security controls for pumps and other data systems or networks to which they might connect.

“Finally, we demonstrate how biomedical, networking and cybersecurity engineers and IT experts can securely configure and deploy wireless infusion pumps to decrease cybersecurity risk,” NIST’s report asserts.

The new report depicts more than a year of work on infusion pump security by NIST, which called on technology companies in the year of January 2016 to mount a collaborative effort to make better the security of wireless pumps.

Federal organizations and watchdog groups raised awareness of the fact that wireless infusion pumps could be compromised by hackers, increasing risks for sufferers and also prompting uncertainties that the networks to which they are connected could be accessed through cyber attacks. Security on the devices generally is weak and can be conveniently manipulated by external agents.

“In specific, the wireless infusion pumps ecosystem (the pump, the network and the data stored in or on a pump) confront a range of threats involving unauthorized access to protected health information, changes to prescribed drug doses and interference with the function of pump,” the guidance states, referring a report of the Association for the Advancement of Medical Instrumentation.

However connecting infusion pumps to point-of-care medication systems and electronic health records (EHRs) can improve the healthcare delivery procedures, utilizing a medical device’s connectivity capabilities can pose increased threat, which could lead to operational or safety problems, NIST points out.

In general, wireless infusion pumps don’t interface with a lot of other information systems; they take data and push it to the pharmacy using an HL7 central server, and the data may also go into the electronic health record, says Tom Walsh, president of the Tom Walsh Consulting security practice. But because there are so many different vendors and varieties of pumps, it’s been difficult to devise one approach to protect them.

Part of the vulnerability stems from the fact that vendors often remotely access their devices in hospitals to troubleshoot them. “How do you know it’s the vendor in the device or someone hacking in?” Walsh asks. “The vendor may or may not collaborate with IT or biomedical.”

The full NIST guidance is available here. A model of a network infrastructure is here.

 

No comments:

Post a Comment