A National Institute of Standards and Technology (NIST) reference document is providing some of the clearest guidance from the U.S. government for securing connected medical devices, but may be setting too low a bar for securing wireless communications, according to a security expert.
NIST, working with the University of Minnesota’s Technological Leadership Institute, released a draft Use Case document (PDF) on December 18 to help health care providers “secure their medical devices on an enterprise networks.” However, in the area of communications security, the document suggests the use of WEP (Wired Equivalent Privacy), a legacy wireless security technology that can easily be cracked.
NIST released the draft security use case document and is seeking feedback from the public. The drug infusion pump case study is described as the “first of a series” of similar use cases that will focus on medical device security, NIST wrote.
The draft document presents a technical description of the security challenges that wireless infusion pumps create for enterprises, including threats and vulnerabilities, as well as ways to mitigate those threats.
Wireless infusion pumps present a wide array of challenges, the NIST documents explains. The devices are typically connected to the local network as well as backend servers and electronic health record systems (EHR). The devices are often shipped with hard coded administrator credentials that are intended for both maintenance and clinical use. Many do not tolerate scans by traditional enterprise IT security tools, nor do they offer features for streamlined software upgrades, NIST notes.
As a result, infusion pumps are an easy target both for third parties who connect to them remotely or degraded by malware infections from within the hospital or medical environment.
The security of connected medical devices has been a cause for consternation in recent years, as enterprising hackers have exposed a lack of communications and device security that exposes patient data and could, potentially, interfere with patient care.
The NIST use case document provides guidance on the kinds of security issues medical organizations should look to address with their infusion pumps: from user credentials needed to gain access to the medical network, to the security of wireless access points the pumps connect to, to the use of codes that grant users access to the pump itself.
In a section on threat events, the document outlines possible attacks on wireless infusion pumps, and acceptable mitigations. For example: the use of firewalls and intrusion detection system software is recommended to protect backend assets from compromise. Identity management and multi-factor authentication is recommended as a risk mitigating technology for so-called “brute force” login attacks.
In the case of man in the middle and communications interception attacks, however, the draft document suggests the “implementation of strong encryption measures; WPA and WEP encryption.” That recommendation was already attracting flak from security professionals, who noted that the 16 year-old technology is widely regarded as insecure. In fact, FDA guidance already prohibits the use of WEP in medical devices.
The security of medical devices is a stated goal for the U.S. Food and Drug Administration. That agency issued a public call for ideas for securing medical devices in September. Further, the U.S. Department of Health and Human Services identified the security of mobile and networked medical devices a top priority in 2014. The FDA has also issued guidance to medical device makers and hospitals that use their products to pay more attention to cyber security and the potential for cyber attacks on vulnerable medical instruments.