Security News

NIST Guide Focuses on Healthcare Wireless Network Security

NIST releases a new guide advise organizations on healthcare wireless network security for infusion pumps.

NIST guide addresses healthcare wireless network security.

Source: Thinkstock

By Elizabeth O'Dowd

- Clearwater Compliance announced its partnership with NIST and the National Cybersecurity Center of Excellence (NCCoE) to help organizations improve healthcare wireless network security.

The partnership focuses on securing wireless infusion pumps. NIST released a draft practice guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, outlining best practices. The guide also advises healthcare organizations on how to use standards-based, commercially available cybersecurity technologies to protect their wireless network.

The guide presents methods for addressing assets, threats, and vulnerabilities, and also provides a NIST-based risk assessment. Organizations following the guide will be able to create layers of cybersecurity that work together to protect against threat sources and threat events.

The guide also helps entities follow HIPAA security standards.

Healthcare organizations can also improve in the following areas from the NCCoE guide:

  • reduce cybersecurity risk, and potentially reduce impact to safety and operational risk, such as the loss of patient information or interference with the standard operation of a medical device
  • develop and execute a defense-in-depth strategy that protects the enterprise with layers of security to avoid a single point of failure and provide strong support for availability
  • implement current cybersecurity standards and best practices, while maintaining the performance and usability of wireless infusion pumps

“Reducing cybersecurity risk, developing and executing in-depth cybersecurity strategies and offering best practices for healthcare organizations especially as it applies so directly to patient safety issues is critical to Clearwater’s mission,” Clearwater Compliance CEO Bob Chaput said in a statement. “We are honored to collaborate with NIST on a guide that improves the awareness as cybersecurity has rapidly evolved to become a patient safety, and therefore, a significant business risk management issue for health delivery organizations.”

Wireless infusion pumps connect to many health IT infrastructure systems within an organization, giving them access to clinical data.

“Although connecting infusion pumps to point-of-care medication systems and EHRs can improve healthcare delivery processes, using a medical device’s connectivity capabilities can create significant cybersecurity risk, which could lead to operational or safety risks,” the report stated. “Tampering, intentional or otherwise, with the wireless infusion pump ecosystem can expose a healthcare provider’s enterprise to serious risks.”

Some of the risks include access by malicious outsiders, loss or corruption of EHRs and clinical data, PHI breaches, loss or disruption of healthcare services, and damage to an organization’s reputation, productivity, and bottom-line revenue.

Infusion pumps are a part of the healthcare Internet of Things (IoT), which continues to grow to include more connected medical devices. The growing number of medical IoT devices increases the risk factor of a device becoming compromised and potentially leaving the network vulnerable.

Securing medical devices is important because hackers can use any connected device to gain access to a network, regardless of how minimal the device is.

Medical device security is more than just protecting devices from outside threats. Devices transmitting information to the wrong place can violate HIPAA regulations.

For example, an infusion pump may try to send a web request out to the internet instead of just communicating with the management server. Devices communicating abnormally can cause security problems for the network. Administrators may never detect small and potentially dangerous malfunctions if the proper security measures are not taken in advance.

Healthcare organizations are managing increasingly complex network security environments, which often overlook the fundamental protection of connected medical devices. Organizations can use the NIST guide to ensure that they are covering all connected medical devices and are using security solutions to the best of their ability.