Hospitals are increasingly using networked technology to improve the accuracy and efficiency of medical care by connecting medical devices to a central system. A networked infusion pump can allow centralized control of the device’s programming as well as provide automated cross checks against pharmacy records and patient data. This ensures that the right dose of fluids or medication is delivered to the right patient at the right time.
In the past, medical devices were standalone instruments that interacted only with the patient. Today, medical devices have operating systems and communication hardware that allows them to connect to networks and other devices.
While this technology has created more powerful tools and improved healthcare, it has also led to additional risk in safety and security. Patients can be harmed through incorrect drug dosing or loss of private health information.
Plus, intentional or unintentional tampering with wireless infusion pumps can expose a healthcare facility’s IT-dependent systems to loss of data and other information that may result in downtime, along with less productivity and revenue. Once organizations understand the risks, strategies can be established to educate staff members on vulnerabilities.
To address the cybersecurity challenges of wireless infusion pumps, The National Cybersecurity Center of Excellence (NCCoE) http://nccoe.nist.gov at NIST is inviting comments on a draft use case recently issued titled “Wireless Medical Infusion Pumps: Medical Device Security” http://nccoe.nist.gov/content/medical-devices (December 2014) and co-authored by Gavin O’Brien NCCoE) and Gopal Khanna, (TLI).
The NCCoE works with industry, academic and government experts to find practical solutions for pressing cybersecurity needs. The Center was established in 2012 by the State of Maryland and Montgomery County, Maryland. In 2014, MITRE Corp was awarded a contract to support the center as a federally funded research and development center dedicated to cybersecurity.
The draft use case is a joint venture between NCCoE and the Technological Leadership Institute (TLI) http://tli.umn.edu at the University of Minnesota. Minnesota-based providers, manufacturers, and medical device industry associations helped draft the use case to provide a technical description of the challenges in securing the devices and how to find solutions.
The draft use case identifies the people and systems that interact with infusion pumps, defines their interactions, performs a risk assessment, identifies applicable security technologies, and explains how to secure the system.
The draft wireless infusion pump use case can be viewed on the NCCoE website http://nccoe.nist.gov with comments due by January 18, 2015.