Anti-Malware , Mobility , Risk Management

Why NIST Is Revising Infusion Pump Cybersecurity Guidance Expert Explains What to Expect in Upcoming Document
Why NIST Is Revising Infusion Pump Cybersecurity Guidance
Gavin O'Brien of NIST

The National Institute of Standards and Technology is reworking its guidance on the cybersecurity of wireless infusion pumps, with plans to release the document by the end of this year, says Gavin O'Brien, a computer scientist at NIST's National Cybersecurity Center of Excellence, which is taking charge of the project.

The upcoming guidance is a new version of a white paper that NIST first unveiled in December 2014 about the cybersecurity of wireless infusion pumps. The document is being revised based, in part, on feedback NIST received from healthcare industry stakeholders about the original white paper, which was criticized by some as being too prescriptive, O'Brien says (see Infusion Pump Security: NIST Refining Guidance).

"Some of the things we had characterized in our original white paper needed to be clarified and adjusted," he says in an interview with Information Security Media Group. NIST then spent about a year working with constituents in the healthcare sector who provided feedback on the document. Yet, the goal of the upcoming version is still the same, says O'Brien, who described the effort in a sesssion at the HIMSS 2016 Conference in Las Vegas.

"We want to create a practice guide - a set of best practices and standards that we want folks to use," he says. The document will feature multiple components, ranging from an executive summary for the C-suite, to more detailed tables of standards that can be mapped to products and security characteristics, as well as material that can help healthcare organizations perform risk assessments, he says.

The revised guidance from NIST comes in the wake of the Food and Drug Administration last August issuing an alert warning hospitals to discontinue use of a certain line of infusion pumps from medical device maker Hospira due to security flaws that could potentially allow an unauthorized user to remotely change medication dosages dispensed by the pumps.

In the interview, O'Brien also discusses:

  • What's next in the development of the new guidance;
  • Why NIST chose to tackle the cybersecurity of wireless infusion pumps versus the many other different types of medical devices commonly found in healthcare environments;
  • The potential threat of ransomware attacks on medical devices.

O'Brien is a computer scientist and project manager at the NIST National Cybersecurity Center of Excellence. Before joining the center in 2012, O'Brien spent 13 years at NIST's IT Laboratory.

Around the Network