On May 8, 2017, the National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), released a new draft NIST Cybersecurity Practice Guide (SP 1800-8) entitled "Securing Wireless Infusion Pumps in Healthcare Delivery Organizations." The purpose of the new guidance is to address the security flaws in external infusion pumps in the healthcare industry, and provide engineers and IT professionals a roadmap for how they can securely configure and deploy wireless infusion pumps by using "standards-based commercially available technologies and industry best practices[.]" NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sector, and are intended to serve as practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They do not describe regulations or mandatory practices. Nor do they carry statutory authority. NIST is accepting public comment on the new draft guidance through July 7, 2017.

Overview Of Draft Guidance

Infusion pumps are defined by the FDA as a medical device that delivers fluid into a patient's body in a controlled manner. Once standalone instruments that interacted with the patient or medical provider only, infusion pumps are now connected to a variety of systems and networks, contributing to what NIST calls the Internet of Medical Things (IoMT). This new connectivity brings with it benefits and challenges. Although connecting fusion pumps to point-of-care medication systems and electronic health records can improve the healthcare delivery process, it can also create significant cybersecurity risk that could lead to operational or safety risks. Specifically, tampering with the wireless infusion pump ecosystem can expose a healthcare provider to:

  1. Access by malicious actors;
  2. Loss or corruption of enterprise information and patient data and health records;
  3. A breach of protected health information;
  4. Loss or disruption of healthcare services; or
  5. Damage to an organization's reputation, productivity, and bottom-line revenue.

Key Takeaways From New Draft Guidance

The new guidance is written from a how-to perspective, providing details on how to install, configure and integrate components. It is therefore primarily intended for professionals implementing security solutions within a healthcare organization, such as biomedical, networking and cybersecurity engineers and IT professionals who are responsible for securing and configuring wireless infusion pumps. The new guidance maps out the security characteristics of wireless infusion pump ecosystems to currently available cybersecurity standards and the HIPAA Security Rule, and applies "security controls to the pump's ecosystem to create a 'defense-in-depth' solution for protecting infusion pumps and their surrounding systems against various risk factors."

NIST claims organizations will, if they adopt the new guidance:

  • Reduce cybersecurity risk, and potentially reduce impact to safety and operational risk, such as the loss of patient information or interference with the standard operation of a medical device;
  • Develop and execute a defense-in-depth strategy that protects the enterprise with layers of security to avoid a single point of failure and provides strong support for availability; and
  • Implement current cybersecurity standards and best practices, while maintaining the performance and usability of wireless infusion pumps.

A copy of the draft guidance is here. If you or your business are interested in submitting public comments in response to the new draft guidance, the Dentons Privacy and Cybersecurity Group can help. We are also prepared to assist your organization in navigating the new draft guidance and securing your networked devices against the constantly evolving threat landscape.

For more information, visit our Privacy and Cybersecurity blog at www.privacyandcybersecuritylaw.com

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.