publications full of ideas

Securing Wireless Infusion Pumps in Healthcare

8.27.2018

The National Cybersecurity Center of Excellence (NCCoE) announced in August that it has finalized the draft guidance it first issued in May of last year on securing wireless infusion pumps. Infusion pumps are often tasked with supplying a steady inflow of life-saving or life-sustaining medications, and their exposure to the internet comes with risks of malicious manipulation with risks of patient harm, data breaches, and risks to an entire organization’s computer system.

The risks of wireless medical devices have received dramatic attention, including in the episode in the Homeland series where a hacked cardiac pacemaker was manipulated to assassinate the Vice President. In September of 2017, the FDA issued a recall for almost a half million pacemakers, and in the same month there was news about infusion pumps vulnerability. The FDA has been issuing guidance about the risks associated with infusion pumps and has a webpage dedicated to this issue.

The new NCCoE guidance is geared for the clinical and administrative leadership of health care organizations, as well as the IT staff who run their computer networks. The IT professionals will find reams of detailed information about the features that can be employed to secure infusion pumps; and the guidance stresses that the architecture for these solutions uses commercially available hardware and software, and was developed with input from the vendors. Security professionals will want to study the entire 375-page report, but for a good visual representation of the suggested system architecture, consult the second page of NCCoE’s Summary which is linked on the webpage where NCCoE’s guidance is available.

The Key takeaway of the guidance for the clinical and administrative staff is understanding the common vulnerabilities of these devices, which are distilled in Appendix B on pages 76-77:

  • The use of removable media as part of the standard deployment of these devices can result in inappropriate disclosures of PHI, and also poses the risk of introduction of malicious software which can compromise the functionality of an individual device, but can also infect the entire system in which it operates.
  • Infusion pumps will store important patient information, but may lack the ability to encrypt it, making it even more critical to avoid use of factory set login settings.
  • With deployment of infusion pumps throughout an organization, it is important to establish role-based access to limit access to particular functions to persons with appropriate privileges.
  • Since infusion pumps often are deployed for years, there must be a program to assess, update and patch them on an ongoing basis.

Appendix C in the Report contains a concise 2-page set of Recommendations and Best Practices, starting with the need to create and maintain a thorough inventory of medical devices throughout the organization, and implementing a variety of measures for all the devices, including:

  • Managing the acquisition of new devices to include review of cybersecurity capabilities of new pumps and their deployment without default passwords and other default settings that would expose them to malicious attacks;
  • Implementing media access controls and filters to limit access to medical devices by unauthorized actors who have infiltrated the organization’s network; and
  • Ensuring their physical security by removing them to a lockable space with limited access when they are not in use.

Finally, while emphasizing that the threat landscape is constantly evolving, the guidance also spotlights the repository of vulnerability management data that is maintained and updated at the National Vulnerability Database for information security professionals to access and use.

NCCoE is inviting comments on the guidance. To provide comments or to learn more, including how to arrange a demonstration of this example implementation, contact the NCCoE at: hit_nccoe@nist.gov.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Mayo named Client Choice Award winner in North Carolina

2/19/2019

RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield

2/13/2019

How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update

2/7/2019

Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.

Poyner Spruill's Hobbs leading client relations presentation at UNC School of Law's Festival of Legal Learning

2/4/2019

RALEIGH, N.C. — Poyner Spruill’s Brandi Hobbs will again be a featured speaker in the UNC School of Law’s Festival of Legal Learning. The two-day event offers attendees the chance to earn up to 12 CLE credits and will take place Friday and Saturday, Feb. 8-9, at The William & Ida Friday Continuing Education Center in Chapel Hill.

Twenty attorneys at Poyner Spruill honored in 2019 Super Lawyers list

1/24/2019

RALEIGH, N.C. — Poyner Spruill LLP is pleased to announce 16 attorneys at the firm have been selected to the 2019 North Carolina Super Lawyers list. No more than 5 percent of the lawyers in North Carolina are selected.