National Institute of Standards and Technology (NIST) announced the release of a draft Special Publication (SP) on Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, which is now available for public comment.
This is an important area that Computing Community Consortium (CCC) Council member Kevin Fu from the University of Michigan has been working in for many years. In February 2016, Fu attended the White House meeting of medical device security stakeholders and domain experts to discuss the cybersecurity challenges faced by healthcare delivery organizations and medical device manufacturers. In March 2017, the New York Times released an article called It’s Possible to Hack a Phone With Sound Waves, Researchers Show, which highlights Fu’s work on embedded computer systems. Fu and his team have found a vulnerability that allows them to take control of devices through the tiny accelerometers that are standard components in consumer products like fitness monitors. Recently, Fu and CCC Director Ann Drobnis attended a Food and Drug Administration (FDA) workshop called Cybersecurity of Medical Devices: A Regulatory Science Gap Analysis, which examined opportunities for FDA engagement with new and ongoing research. You can see videos of that workshop here.
From the NIST announcement:
As the world rapidly embraces the Internet of Things, properly securing medical devices has grown challenging for most healthcare delivery organizations (HDOs).
That’s because medical devices, such as infusion pumps, have evolved from standalone instruments that interacted only with the patient and a medical provider into devices that now connect wirelessly to a variety of systems, networks, and other platforms to enhance patient care, as part of the broader Internet of Medical Things (IoMT).
As a result, cybersecurity risks have risen. Wireless infusion pump ecosystems, which include the pump, the network, and the data stored in and on a pump, face a range of potential threats, such as unauthorized access to protected health information (PHI), changes to prescribed drug doses, and interference with a pump’s intended function.
In collaboration with the healthcare community and manufacturers, the NCCoE developed cybersecurity guidance, draft NIST Special Publication 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, which uses standards-based, commercially available technologies and industry best practices to help HDOs strengthen the security of wireless infusion pumps within healthcare facilities. The draft guide is now open for public comment.
The full announcement of this draft document along with links to the draft SP 1800-8 volumes and project homepage can be found here. Deadline to submit comments here is by July 7, 2017.
