Guidance on securing drug pumps has been issued by the National Institute of Standards and Technology (NIST) to help healthcare organizations mitigate the risk of cyberattacks that could cause patients to come to harm or allow sensitive data to be stolen.
Over the past two years there has been concern raised about the lack of security on medical devices, with drug pumps a particularly serious concern. If threat actors are able to gain access to drug pumps they could alter drug dosages to cause patients serious harm. Increasing or decreasing drug doses via the pumps could be life threatening for patients.
Federal agencies called on NIST to provide additional guidance on securing drug pumps, not only to improve patient safety, but also to ensure that cyberattacks on the devices do not jeopardize the confidentiality, integrity and availability of ePHI or give cybercriminals a foothold in healthcare networks. Wireless drug infusion pumps are seen as a particular risk, which the new guidance addresses.
While drug infusion pumps do not typically interface with a wide range of healthcare networks or other information systems they are capable of pushing data to pharmacies and even into electronic health record systems. Data could be altered or intercepted, and there is potential the devices to be used to gain access to EHRs.
While there have been no recorded incidents that have resulted in patients being harmed as a result of drug pump hacks, the threat is considerable, especially since the devices typically lack robust security controls.
Since there are many vendors and models of drug pumps, developing guidance that covers all manufacturers and models has been a complex process. The process has taken well over a year.
The guidance on securing drug pumps was developed in collaboration with the National Cybersecurity Center of Excellence (NCCoE), a division of NIST, with input sought from a wide range of technology companies.
NCCoE developed a plan for healthcare organizations to utilize commercially available standards-based technology to secure medical devices. A questionnaire-based risk assessment has been included in the guidance to allow healthcare providers to assess drug pump security, discover vulnerabilities and apply appropriate security controls to improve device security.
Security characteristics have been mapped to CSF framework cybersecurity standards and the requirements of the HIPAA Security Rule with example configurations detailed in the guidance to improve security.
The new NIST guidance on securing drug pumps can be downloaded on this link.