An infusion pump is a medical device that pumps controlled amounts of medication, nutrients, and other vital fluids into a patient’s body through an IV. These devices are mostly found in hospitals, nursing homes, and other various medical settings. The pump is to be programmed in order to set the rate and duration of the fluid delivery based on the needs of the patient.
While originally designed to be manually operated by a medical professional, technological advancements have enabled these devices to connect to wireless networks within healthcare delivery organizations (HDO), including point-of-care medication systems and electronic health records. Allowing the infusion pumps to connect to such systems offers improved and safer healthcare conditions for patients.
Unfortunately, there have been security issues with the pumps. The FDA discovered that there are known security threats that can potentially compromise the safety of these medical devices.
Risks, Threats, and Vulnerabilities
Because of the connectivity capabilities of the infusion pumps, there are serious security risks associated with the devices. Despite efforts to combat them, the following risks leave the devices open to security threats and vulnerabilities.
- Access by malicious actors
- Loss or corruption of enterprise information and patient data and health records
- A breach of protected health information
- Loss or disruption of healthcare services
- Damage to an organization’s reputation, productivity, and bottom-line revenue
These risks have the potential to lead to security threats that can affect the operational functions and safety features of the wireless infusion pumps. Threats include targeted attacks, denial of services, malware infections, and theft resulting in loss of assets. Along with security threats, the infusion pumps face vulnerabilities being connected to wireless networks. Not only do these vulnerabilities affect the devices but also the applications and personnel relying on them.
- Lack of asset inventory
- Information/Data Vulnerabilities
- Lack of encryption on private/sensitive data-at-rest
- Lack of encryption on transmitted data
- Unauthorized changes to device calibration or configuration data
- Insufficient data backup
- Lack of capability to de-identify private/sensitive data
- Lack of data validation
- Device/Endpoint (Infusion Pump) Vulnerabilities
- Debug-enabled interfaces
- Use of removable media
- Lack of physical tamper detection and response
- Poorly protected and patched devices
- User or Administrator Accounts Vulnerabilities
- Hard-coded or factory default pass codes
- Lack of role-based access and/or use of principles of least privilege
- Dormant accounts
- Weak remote access controls
- IT Network Infrastructure Vulnerabilities
- Lack of malware protection
- Lack of system hardening
- Insecure network configuration
- System complexity
Securing Infusion Pumps
Since infusion pumps administer vital fluids to patients, the National Cybersecurity Center of Excellence (NCCoE) partnered with healthcare professionals to add even more security controls to the devices. These controls include risk assessment, mitigation, and management. The following additional controls are set forth in order to aide risk management:
- Physical security controls, including standard tamper-evident seals.
- Following procedures for clearing wireless network authentication credentials if the pump is moved from the facility.
- Changing authentication credentials regularly.
- All pumps and pump systems should include cryptographic modules that have been validated.
- All ports are disabled except when in use.
- Certificate-based authenticating for a pump server.
Creating a risk management plan is essential to securing these devices. In order to assess the infusion pump’s risks, it is important to completely understand the complex nature of the devices and their environments. Standards recommend defining assets as the first step in assessing and analyzing risks. In this case, some assets include cybersecurity controls, end-point connections, remote access, and inventory control. Once the assets have been determined, the assessment can begin so as to provide an understanding of the risks involved and design a way to mitigate them.