Wireless Infusion Pumps

Download the Practice Guide

The NCCoE has released the draft version of NIST Cybersecurity Practice Guide SP 1800-8, Wireless Infusion Pumps . Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »Open Web Version »

Current Status

The NCCoE released a draft of the NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations on May 8, 2017.  Public comments on the draft closed on July 7, 2017. The NCCoE is currently reviewing this feedback.

For ease of use, the guide is available in volumes:

  • SP 1800-8a: Executive Summary (PDF) (web page)
  • SP 1800-8b: Approach, Architecture, and Security Characteristics (PDF) (web page)
  • SP 1800-8c: How-To Guides (PDF) (web page)

Or download the complete guide (PDF).

Read the announcement about the draft guide or see the two-page fact sheet for additional information.

If you have any questions or suggestions, please email us at hit_nccoe@nist.gov

Summary

The NCCoE, in collaboration with the Technological Leadership Institute at the University of Minnesota, initiated a project to improve the security of wireless medical infusion pumps. This is the first of a series of use cases focused on medical device security. Our original project description draft was published in December 2014, describing the project and asking for public feedback. We received more than 200 comments. A final project description incorporating those comments was published in December 2015.

Business Challenge

Technology improvements happen rapidly across all sectors. For organizations focused on delivering high-quality patient care, it can be difficult to take advantage of the latest technological advances, while also ensuring new medical devices or applications are secure. For many Healthcare Delivery Organizations (HDOs), this can result in improperly configured networks and components that increase cybersecurity risks. 

Unlike prior medical devices that were once standalone instruments, today’s wireless infusion pumps connect to a variety of healthcare systems, networks, and other devices. Although connecting infusion pumps to point-of-care medication systems and electronic health records can improve healthcare delivery processes, this can also increase cybersecurity risk, which could lead to operational or safety risks. Tampering, intentional or otherwise, with the wireless infusion pump ecosystem can expose an HDO enterprise to serious risk factors, such as: access by malicious actors; a breach of protected health information; loss or disruption of healthcare services; and damage to an organization’s reputation, productivity, and bottom-line revenue.

Solution

SP 1800-8 provides best practices and detailed guidance on how to manage assets, protect against threats, and mitigate vulnerabilities by performing a questionnaire-based risk assessment. In addition, the security characteristics of wireless infusion pump ecosystem are mapped to currently available cybersecurity standards and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Based on our risk assessment findings, we apply security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors. Ultimately, we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk.

Collaborating Vendors

B. Braun
Baxter
BD
cisco logo
Clearwater Compliance
DigiCert
Hospira
Intercede
MDISS
PFP Cybersecurity
Ramparts Security logo
Smiths Medical
Symantec logo
TDI Technologies logo

The technology vendors who participated in this project submitted their capabilities in response to a call in the Federal Register. Companies with relevant products were invited to sign a Cooperative Research and Development Agreement with NIST, allowing them to participate in a consortium to build this example solution.

 

Disclaimer: Certain commercial entities, equipment, products, or materials may be identified in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.