NIST partnership focuses on infusion pump security


The National Institute of Standards and Technology and consultancy Clearwater Compliance have teamed up to improve security practices for wireless infusion pumps.

Last year, the Food and Drug Administration warned of vulnerabilities in some Hospira models; security experts also have warned that the devices can be hacked.

Infusion pumps generally have long life cycles and security often was not top of mind when they were designed, as med device security expert Kevin Fu has pointed out.

In wireless versions, dosing instructions can be sent remotely, meaning they hold patient data subject to HIPAA that must be removed before they are decommissioned. That makes full life cycle management vital, Gavin O’Brien, senior cybersecurity engineer with the NIST National Cybersecurity Center of Excellence, recently told

Rather than trying to come up with solutions independently, NIST has been reaching out to hospital executives and other users for input on the problem, according to the article.

“Instead of making this a government mandate, they are trying to determine best practices, based on real- world examples,” Clearwater Compliance CEO Bob Chaput told

The short-term goal is to create guidance documents for healthcare CIOs and chief information security officers; longer-term, NIST plans to create and share a software-as-a-service platform for securing the devices on an enterprise network.

It also plans to work with providers to help them better use the tools they have in place and determine whether they need other tools and software for more effective security.