The National Cybersecurity Center of Excellence (NCCoE) announced in August that it has finalized the draft guidance it first issued in May of last year on securing wireless infusion pumps. Infusion pumps are often tasked with supplying a steady inflow of life-saving or life-sustaining medications, and their exposure to the internet comes with risks of malicious manipulation with risks of patient harm, data breaches, and risks to an entire organization’s computer system.
The risks of wireless medical devices have received dramatic attention, including in the episode in the Homeland series where a hacked cardiac pacemaker was manipulated to assassinate the Vice President. In September of 2017, the FDA issued a recall for almost a half million pacemakers, and in the same month there was news about infusion pumps vulnerability. The FDA has been issuing guidance about the risks associated with infusion pumps and has a webpage dedicated to this issue.
The new NCCoE guidance is geared for the clinical and administrative leadership of health care organizations, as well as the IT staff who run their computer networks. The IT professionals will find reams of detailed information about the features that can be employed to secure infusion pumps; and the guidance stresses that the architecture for these solutions uses commercially available hardware and software, and was developed with input from the vendors. Security professionals will want to study the entire 375-page report, but for a good visual representation of the suggested system architecture, consult the second page of NCCoE’s Summary which is linked on the webpage where NCCoE’s guidance is available.
The Key takeaway of the guidance for the clinical and administrative staff is understanding the common vulnerabilities of these devices, which are distilled in Appendix B on pages 76-77:
- The use of removable media as part of the standard deployment of these devices can result in inappropriate disclosures of PHI, and also poses the risk of introduction of malicious software which can compromise the functionality of an individual device, but can also infect the entire system in which it operates.
- Infusion pumps will store important patient information, but may lack the ability to encrypt it, making it even more critical to avoid use of factory set login settings.
- With deployment of infusion pumps throughout an organization, it is important to establish role-based access to limit access to particular functions to persons with appropriate privileges.
- Since infusion pumps often are deployed for years, there must be a program to assess, update and patch them on an ongoing basis.
Appendix C in the Report contains a concise 2-page set of Recommendations and Best Practices, starting with the need to create and maintain a thorough inventory of medical devices throughout the organization, and implementing a variety of measures for all the devices, including:
- Managing the acquisition of new devices to include review of cybersecurity capabilities of new pumps and their deployment without default passwords and other default settings that would expose them to malicious attacks;
- Implementing media access controls and filters to limit access to medical devices by unauthorized actors who have infiltrated the organization’s network; and
- Ensuring their physical security by removing them to a lockable space with limited access when they are not in use.
Finally, while emphasizing that the threat landscape is constantly evolving, the guidance also spotlights the repository of vulnerability management data that is maintained and updated at the National Vulnerability Database for information security professionals to access and use.
NCCoE is inviting comments on the guidance. To provide comments or to learn more, including how to arrange a demonstration of this example implementation, contact the NCCoE at: hit_nccoe@nist.gov.