Infusion Pump Security: NIST Refining GuidanceNIST's Gavin O'Brien Describes Medical Device Cybersecurity Challenges
The National Institute of Standards and Technology is revising its guidance addressing the cybersecurity of wireless infusion pumps, says Gavin O'Brien, a computer scientist at NIST's National Cybersecurity Center of Excellence.
NIST's National Cybersecurity Center of Excellence has been working on guidance for wireless infusion pumps for more than a year, O'Brien says. Meanwhile, the Food and Drug Administration recently issued an alert warning hospitals to discontinue use of a certain line of infusion pumps from medical device maker Hospira due to security flaws that could potentially allow an unauthorized user to remotely change medication dosages dispensed by the pumps (see FDA: Discontinue Use of Flawed Infusion Pumps) .
"We came out with our first use case in December 2014 - a white paper that went into a lot of detail about certain potential vulnerabilities" in infusion pumps, he says in an interview with Information Security Media Group.
Based on the feedback NIST received about the white paper draft, the institute determined the guidance was too prescriptive and detailed, he says. So the document is being revamped for release early next year.
The NIST infusion pump white paper describes potential cybersecurity threats affecting wireless medical infusion pumps, including the devices being compromised by malware, hackers or malicious insiders, and suggests implementing a variety of risk mitigation technologies, including encryption and multi-factor authentication. Infusion pumps provide fluids, medication or nutrients to a patient's circulatory system or gastrointestinal tract, and are usually found in hospitals or clinics, NIST explains.
In the interview (audio link below photo), O'Brien also discusses:
- Highlights of draft mobile security guidance for the healthcare sector that NIST unveiled in July (see NIST on Protecting Mobile Health Data). NIST is collecting public comments on that guidance until Sept. 25.
- Why the security of mobile devices used for electronic health records is such "a complicated problem."
- Security challenges involving the "Internet of Things," including consumer wearable health devices.
O'Brien is a computer scientist and project manager at the NIST National Cybersecurity Center of Excellence. Before joining the center in 2012, O'Brien spent 13 years at NIST's IT Laboratory.