Posted 25 January 2016
By Michael Mezher
The National Institute of Standards and Technology (NIST) is launching a project to improve the cybersecurity of wireless infusion pumps.
To do so, NIST's National Cybersecurity Center of Excellence (NCCoE) is looking for vendors to provide it with the components and technical expertise required to simulate the hospital environment in which infusion pumps operate.
In a notice published in the Federal Register Monday, NIST said the goal of the project is to help health providers secure wireless infusion pumps on an enterprise network.
The project will look at the lifecycle of an infusion pump in a hospital setting, from procurement to decommissioning, as well as the types of infrastructure that interacts with the pumps, including the pump server, wireless networks and a hospital's biomedical engineering department.
NIST says its call for participants is only the start "of a process that will identify research participants and components of a laboratory environment to identify, evaluate, and test relevant security tools and controls," according to a white paper published alongside the notice.
The project will also look at how hackers can interact with the relevant hospital systems.
"Hackers may attempt to attack the pump through various vectors, including the pump, pump server, wireless network, clinical systems, and the hospital IT systems," according a scenario presented in the white paper.
When completed, the NCCoE says the project will help inform a "multi-part practice guide that will help the community evaluate the security environment surrounding infusion pumps deployed in a clinical setting."
In recent years, medical device cybersecurity has become a growing concern. News reports about security researchers discovering vulnerabilities in medical devices are more and more common.
In July 2015, FDA warned health care providers that Hospira's Symbic Infusion System could be remotely accessed and manipulated to tamper medications being delivered via the pump. While FDA noted that it was not aware of any cases where this occurred, it still advised hospitals to take steps to sure up the device's security.
On Thursday the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed another security flaw related to Hospira infusion pumps, in which a hacker could potentially exploit a vulnerability to remotely execute code on a device.
To date, FDA has issuedseveralguidance documents concerning device cybersecurity and last week held two public workshops on the subject.
NCCoE Use Case