Cybersecurity, Emerging Issues in Security

NIST Issues New Guidance on Securing Medical IoT Devices

The use of Internet of Things (IoT) devices has exploded across numerous industries, and healthcare is no exception. However, the past 2 years have proven that healthcare delivery organizations (HDOs) are particularly open to cyberthreats. One recent factor generating industry vulnerability has been the widespread adoption of medical IoT devices, including wireless infusion pumps.

Infusion pumps in a hospital corridor

Cylonphoto / iStock / Getty Images Plus / Getty Images

Infusion pumps are used to deliver metered doses of medication or fluids to patients in a way that saves time and money over having the nursing staff perform the task. Until recently, these devices were offline, stand-alone instruments. Now, wireless technology allows these devices to be connected to several different systems, allowing for constant monitoring and remote control.

The news of vulnerabilities in wireless infusion pumps highlights the incredibly complex technical data environments HDO’s security staff must contend with. HDOs utilize numerous converging networks that handle personally identifiable patient information across coding, billing, and insurance systems; clinical care management; inventory and supply chain management; and supporting industries like pharmaceuticals and radiology. If improperly configured, these devices could easily serve as a gateway for cybercriminals to carry out an attack against a patient or gain access to an HDO’s broader networks.

According to the report’s executive summary, the use of these and other connected medical devices “can create significant cybersecurity risk,” which then opens the door to both operational and safety risks. In addition to the direct risk posed to the patient, HDOs also face:

  • Wider network access by threat actors;
  • Loss or corruption of patient health or organizational data;
  • Violating Health Insurance Portability and Accountability Act (HIPAA) through a breach of personal health information;
  • Losses or disruptions to other healthcare services; and/or,
  • The potential for significant reputational and revenue damage.

With that in mind, the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) partnered with a number of industry vendors and integrators to create standards, providing HDOs with a series of best practices.

According to the publication, the guide is aimed at helping HDOs to:

  • “[R]educe cybersecurity risk, and potentially reduce impact to safety and operational risk, such as the loss of patient information or interference with the standard operation of a medical device”;
  • “[D]evelop and execute a defense-in-depth strategy that protects the enterprise with layers of security to avoid a single point of failure and provide strong support for availability”; and
  • “[I]mplement current cybersecurity standards and best practices, while maintaining the performance and usability of wireless infusion pumps.”

While directed at the healthcare industry, some of these best practices (such as the defense-in-depth strategy) are more broadly applicable. The free publication can be found at the NCCoE website.