Guidance on Securing Wireless Infusion Pumps for Healthcare Delivery Organizations

The final version of the NIST Cybersecurity Practice Guide for Securing Wireless Infusion Pumps in Healthcare Delivery Organizations has been issued by the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST).

These days, wireless infusion pumps are not standalone devices. They are usually connected to many healthcare systems, networks, and other medical devices. That makes the threat surface particularly large and the devices difficult to secure.

If malicious actors can get access to the wireless infusion pump ecosystem, pump settings could be modified or malware could be installed. Both could lead to the devices malfunctioning which would affect the availability of the devices and has considerable potential to result in harm being caused to patients. A malware attack on wireless infusion pumps could also allow the protected health information of patients to be stolen.

If wireless infusion pumps are compromised, it could disrupt healthcare services, damage organizations’ reputations, and result in significant financial losses.

Protecting wireless infusion pumps is not easy. Standard cybersecurity solutions like anti-virus software programs can interfere with the operation of the devices. The devices are usually shipped with login credentials which are often not changed. Since wireless infusion pumps are often configured to be remotely accessible to make management easier, this also makes them vulnerable to remote attacks by hackers.

The NIST/NCCoE guidance helps companies overcome the difficulties of securing the devices,  eliminate all vulnerabilities, and protect the devices against a wide range of threats.

The guide suggests the use of commercially available technologies and includes industry best practices to help healthcare providers ensure their devices and the networks to which they connect are secured.

The guidance includes questionnaires for risk evaluation and the security features of the wireless infusion pump ecosystem have been mapped to the NIST Cybersecurity Framework and the HIPAA Security Rule.

The guide helps healthcare providers to create defense-in-depth and protect their wireless infusion pumps against a wide range of risk factors.

The NIST Special Publication 1800-8A – Securing Wireless Infusion Pumps in Healthcare Delivery Organizations PDF, can be downloaded here (PDF File).