Wirelessly connecting infusion pumps to point-of-care medication systems and EHRs improves healthcare delivery but also increases cybersecurity vulnerability, warned NIST and the National Cybersecurity Center of Excellence (NCCoE) in a new guide.

If not properly secured, wireless infusion pumps open healthcare delivery organizations (HDOs) to access by hackers, breach of PHI, loss or disruption of equipment and services, and damage to reputation, productivity, and revenue.

“With an increasing number of infusion pumps connecting to networks, the vulnerabilities and risk factors become more critical, as they can expose the pump ecosystem to external attacks, compromises, or interference,” warned the guide, NIST SP 1800-8: Securing Wireless Infusion Pumps.

Wireless infusion pumps are challenging to protect, the guide observed. They can be infected by malware, which can cause them to malfunction or operate differently than originally intended. Unfortunately, traditional malware protection could negatively affect the pump’s ability to operate efficiently.

In addition, most wireless infusion pumps contain a maintenance default passcode. “If HDOs do not change the default passcodes when provisioning pumps, and do not periodically change the passwords after pumps are deployed, this creates a vulnerability. This can make it difficult to revoke access codes (e.g., when a hospital employee resigns from the job). Furthermore, information stored inside infusion pumps must be properly secured, including data from drug library systems, infusion rates and dosages, or PHI,” the guide noted.

The wireless infusion pump ecosystem creates a large attack surface, due to vulnerabilities in operating systems, subsystems, networks, or default configuration settings that could allow unauthorized access.

Because many infusion pump models can be accessed and programmed remotely through a wireless network, vulnerabilities could be exploited by an unauthorized user to interfere with the pump’s function, harming a patient through incorrect drug dosing or the compromise of that patient’s PHI.

These risk factors expose the wireless pump ecosystem to external attacks, compromise, or interference, the guide warned.

To counter these threats, SP 1800-8 offers HDOs best practices on how to manage wireless infusion pumps and related assets, protect against threats, and mitigate vulnerabilities.


Read the complete article at healthitsecurity.com


Fred Donovan is a writer for healthitsecurity.com