NIST issues draft of cybersecurity guidance for wireless infusion pumps

A recent hack at a New York Marriott hotel serves as a wake-up call for hotel security teams.
Wireless infusion pumps are flooding the market, creating new cybersecurity vulnerabilities, according to NIST.

Pointing to a growing number of wireless infusion pumps entering the market, the National Institute of Standards and Technology (NIST) has released draft guidelines for healthcare systems to address cybersecurity threats.

Although infusion pumps were once standalone instruments, the influx of wireless devices has created new and potentially dangerous cybersecurity threats that could interfere with functionality—by initiating changes to prescribed drug doses—or compromise personal data by providing hackers with an additional entry point to a hospital’s network.

RELATED: NIST partnership focuses on infusion pump security

NIST’s National Cybersecurity Center of Excellence analyzed risk factors associated with wireless infusion pumps and developed draft guidelines that focus on using cybersecurity technology to protect vulnerable entry points. The guidelines urge hospitals to take a host of precautions, including:

  • Conduct a risk assessment of any wireless devices
  • Implement a physical access management program to track unique mobile media like flash drives
  • Clear wireless credentials if the pump is transported to another facility
  • Change wireless network authentication credentials regularly
  • Employ individual pump authentication rather than a shared key
  • Segment the hospital's network

The FDA has urged medical device manufacturers to build cybersecurity into any new devices or upgrades, noting that manufacturers can issue cybersecurity updates for any reason without FDA approval. Experts have argued that medical devices are the next big target for hackers.