Cybersecurity Center Invites Feedback on Securing Medical Devices
From NIST Tech Beat: December 22, 2014
Hospitals are increasingly using networked technology to improve the accuracy and efficiency of medical care by connecting medical devices to a central system. A networked infusion pump—a device used to convey fluids, drugs and nutrients into a patient’s bloodstream—can allow centralized control of the device’s programming as well as automated cross checks against pharmacy records and patient data to ensure the right dose of fluids or medication are delivered at the right time to the right patient. But these connected devices can introduce new risks in safety and security compared with stand-alone devices.
To address the cybersecurity challenges of wireless infusion pumps, the National Cybersecurity Center of Excellence (NCCoE) is inviting comments on a draft project to secure those devices. The challenges include vulnerabilities to malware or hacking and access control.
The effort is a collaboration between the NCCoE at the National Institute of Standards and Technology and the Technological Leadership Institute (TLI) at the University of Minnesota. Minnesota-based providers of services, manufacturers and medical device industry associations helped to draft a use case, which provides a technical description of the challenge of securing the devices and describes desired characteristics for solutions.
“This is the first medical device project for the National Cybersecurity Center of Excellence, and our second focused on the healthcare sector,” says Nate Lesser, deputy director of the NCCoE. “Working with the Technological Leadership Institute and the medical device community helped us identify this challenge and we look forward to continued collaboration."
The draft use case identifies the people and systems that interact with infusion pumps, defines their interactions, performs a risk assessment, identifies applicable security technologies and provides an example method or implementation to secure the system.
After the use case is finalized, the NCCoE will invite organizations to participate in developing a practice guide, or a collection of the materials and information needed to deploy an example solution of off-the-shelf products that address the technical security problems. The guide will describe the hardware, software and configurations the project used to address the issues presented in this use case so that others can replicate the approach.
The NCCoE works with industry, academic and government experts to find practical solutions for businesses’ most pressing cybersecurity needs. The center was established in 2012 with the state of Maryland and Montgomery County, Md. In 2014, MITRE Corp. was awarded a contract to support the center as a federally funded research and development center, the first dedicated to cybersecurity.
The wireless infusion pump use case can be found on the NCCoE website. Comments should be submitted by Jan. 18, 2015.