be a program to assess, update, and patch them on an ongoing basis. But patching should follow a systematic approach. Guidance
on software vulnerabilities and patching software issued in June
2018 by the US Department of Health and Human Services’ Office
for Civil Rights emphasized the importance of confirming that a
patch has not compromised the functionality of a device and of
making sure that the clinical staff is oriented appropriately.
The FDA draft guidance in October 2018 also mentions the
concept of segregating some devices on the organization’s network to limit the negative impact of an exploit of an older device
that can no longer be patched or updated effectively. NCCoE
recommends implementing media access address filtering to
limit access to medical devices by unauthorized actors attempting to infiltrate the organization’s network through an exposed
ethernet port on the device.
The human element is critical to cybersecurity and this arena is
no different. Securing wireless infusion pumps and other wireless
devices will involve clinical and IT staff working collaboratively
to develop procedures that will ensure reasonable, workable
physical and technical safeguards are implemented and can be
followed without disrupting patient care. On its Medical Device
webpage, the FDA recommends establishing teams of clinical,
management, and IT personnel who work collaboratively to develop and refine policies and respond to incidents, and the FDA
website has several webpages targeted at the various clinical, IT,
and management disciplines that have responsibilities for the acquisition, deployment, or use of infusion pumps.
The NCCoE guidance highlights the importance of role-based
access to the devices, limiting access to particular functions on
an infusion pump solely to persons whose job functions require
them to use those functions. NCCoE also emphasizes the fun-
damental principle that devices should not be deployed with
default passwords or other manufacturer-installed settings that
would expose them to malicious attacks.
The ability to carry out these protective measures must be fac-
tored into the process of acquiring new devices, and the FDA has
highlighted a number of important features for manufacturers
to implement in a checklist on page 13 of its draft guidance. The
checklist identifies important features that should be considered
by healthcare organizations in purchasing wireless devices.
The FDA’s draft guidance in October 2018 also emphasizes
the value of information sharing about risks and vulnerabilities
among the user community. Among the Information Sharing
Analysis Organizations (ISAOs) established to facilitate timely
sharing of information about cybersecurity threats is the Health
Information Sharing and Analysis Center.
Stay Tuned as Threats Evolve
While the guidance from the FDA and NCCoE contains important cybersecurity tools that are ready to be implemented now, it
is important to stay tuned as cybersecurity threats evolve. ¢
1. Department of Health and Human Services (HHS). “Health
Care Industry Cybersecurity Task Force Report on Improving Cybersecurity in the Health Care Industry.” June 2017.
2. Food and Drug Administration (FDA). “Class 2 Device
Recall Accent family of pacemakers.” November 2018.
3. Paganini, Pierluigi. “Hackers can remotely access Smiths
Medical Syringe Infusion Pumps to kill patients.” Secu-
SOFTWARE SPEED UP YOUR TEXT INPUT • Create customized glossaries in an instant.
• Type a few letters and Instant Text suggests.
• Continue phrases without typing.
Call 1 800 355 5251 Instant Text 7 Pro www.instanttext.com
Make your clinical documentation and data entry
TIMELY - ACCURATE - RELIABLE
and give doctors more time for patient care.