which they can be easily updated or patched.
Infusion pumps will store sensitive patient information, but
may lack the ability to encrypt it either at rest or in transit.
Infusion pumps with external or removable media heighten the risk of inappropriate disclosure of information, as
well as the introduction of malicious software.
Appendix C in the NCCoE Report contains a concise list of
recommendations and best practices, but emphasizes that
the threat landscape is constantly evolving. NCCoE is inviting comments on its guidance. To comment or to learn more,
including how to arrange a demonstration of its example implementation, contact NCCoE at email@example.com.
In the meantime, there are a number of basic practical steps
that organizations can implement which are suggested by the
NCCoE and the FDA. They revolve around the three overarching domains of security in the HIPAA Security Rule: the physical, the technical, and the administrative.
The first step in the NIST Cybersecurity Framework is iden-
tify, which entails a concerted effort to identify every wire-
less infusion pump in the organization (along with other
9 Each organization will want to create and
continuously update this inventory with detailed informa-
tion, including the manufacturer of each device and contact
information; the departments or locations within the orga-
nization where each type of pump is typically used and their
typical use cycles; and whether the manufacturer has issued
software updates or patches and documentation that patches
Another obvious but still important issue highlighted by NCCoE is establishing a secure area where devices not in use may
be stored, which remains reasonably accessible to the clinical
staff who must employ them.
The FDA draft guidance in October recommends that device
manufacturers begin providing customers with a list of the
hardware and software components of a device, so that customers can understand when a publicized vulnerability might affect
their deployed devices. While this is not yet a FDA requirement,
it is not too early to collect and maintain that information as part
of the device inventory.
The NCCoE guidance spotlights the repository of vulnerability
management data maintained at the National Vulnerability Database as a source of this information.
Since infusion pumps often are deployed for years, there must