The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses' most pressing cybersecurity challenges. Through this collaboration, the NCCoE applied standards, best practices, and commercially available technologies to develop an example cybersecurity solution for securing wireless infusion pumps in healthcare delivery organizations (HDOs). Infusion pumps are the most network-connected medical devices in HDOs [1]. While connecting infusion pumps to clinical systems can improve healthcare delivery processes, this expands the threat landscape, leading to operational or safety risks. Cybersecurity researchers have identified system vulnerabilities in wireless infusion pumps, highlighting ways an attacker may compromise the infusion pump ecosystem (i.e. the ecosystem consisting of the pump, inclusive of drug libraries and other data, as well as the network). Tampering with the wireless infusion pump ecosystem may expose a healthcare provider's enterprise to serious risks, such as (1) a breach of protected health records, (2) changes to prescribed drug dosage, and (3) disruption of healthcare services by malicious actors. For this project, the NCCoE worked with several infusion pump manufacturers and technology and service providers in a collaborative setting. The project included a risk assessment, mapped to industry standard controls, constructed a lab, and applied concepts discussed within a community of interest consisting of the project participants. The NCCoE analyzed ecosystem risk factors by leveraging the NIST Cybersecurity Framework [2]. With assessment results, the project team constructed a laboratory environment that modeled an HDO and developed and implemented a reference architecture that exemplifies how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the ecosystem. As a result of this project, the NCCoE produced a publicly available practical guide, NIST Special Publication (SP) 18008, Securing Wireless Infusion Pumps [3], to inform HDOs on risks associated with deploying and operating wireless infusion pumps, and how to improve cybersecurity. This NIST SP provides detailed guidance on asset management, threat protection, and vulnerability mitigation. It maps the ecosystem's characteristics to the Health Insurance Portability and Accountability Act Security Rule and established standards, such as the NIST Risk Management Framework and industry-established standards such as IEC 80000-1 (International Electrotechnical Commission documentation on risk mapping and controls application for networked medical devices) [4]. The NCCoE applied a risk-based approach, creating a "defense in depth" solution, noting identified risks. NIST SP 1800-8 shows how biomedical, network, and cybersecurity engineers and information technology (IT) professionals may configure and deploy wireless infusion pumps, servers, workstations, and network components to reduce cybersecurity risk. NIST SP 1800-8 helps healthcare providers: (1) better understand cybersecurity risk; (2) develop and execute a defense-in-depth strategy; avoiding single points of failure; and (3) implement current cybersecurity standards and reasonable practices by using current, publicly available cybersecurity tools and practices.
