Cyberattacks on healthcare systems are becoming more frequent and increasingly devastating. As demonstrated by the recent crippling ransomware attacks on hospital computers (discussed here), the risk to patients has escalated from the theft of sensitive data to interference with clinical care. Rapid advances in the functionality of wireless medical devices have resulted in tremendous benefits for patients but have also created exploitable security gaps that stakeholders are scrambling to close (as discussed here).
In December, the U.S. Food and Drug Administration published final guidance setting forth a general framework for identifying, monitoring, and addressing cybersecurity vulnerabilities in medical devices (as discussed here). While all wireless technology faces cybersecurity risks, medical devices such as wireless infusion pumps carry a unique risk, as a hacker has the ability not only to access protected health information but also to make changes to drug doses and interfere with the pumps function.
Earlier this month, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) published a set of best practices and guidance on how to protect against threats to wireless infusion pumps. The guide, which is primarily intended as a how-to for professionals implementing security solutions, was developed following collaboration with healthcare stakeholders, technology vendors, and cybersecurity vendors.
While the NCCoEs guidance offers solutions for securing the infusion pump, server components, and the surrounding network, NCCoE suggests that the security controls detailed in the publication can be tailored and applied to increase security for other types of medical devices.
Securing Wireless Infusion Pumps In Healthcare Delivery Organizations (NIST Special Publication 1800-8) can be viewed or downloaded here.