Medical device security is demonstrably lax, and there’s no guarantee it will improve from a project launched by the National Cybersecurity Center of Excellence. They’re seeking comments from the medical field on securing wireless infusion pumps. The input will form the basis for a set of security guidelines.
The wireless infusion pumps send medication into the blood stream. They’re centrally controlled via network connection, allowing access to patient records. The pumps receive information on proper dosage and other medical details that automate treatment, and ostensibly reduce mistakes.
What could possibly go wrong? Connected medical devices are a honeypot for cybercriminals to commit everything from prescription drug fraud to homicide. Securing them is serious business, but the rate of cyberattacks involving advanced medical devices is likely increase before it gets better.
In this NCCoE project, the how-to will flow from the security-deficient industry itself to the government agency, which will use it to compile security guidelines, and then send them back to an industry that’s lukewarm about beefing up security. That’s the situation, as outlined at Gov Info Security.
The good news is that NIST standards will apply (NIST is the acronym for National Institute of Standards and Technology). Using the NIST standards means there’s some hope of creating a uniform security framework that can be applied to other advanced medical devices. But it’s only helpful if this infusion pump project generates a high-quality body of information.
Habeas Hard Drive hopes for the best, but predicts continued choas in the field for the medium term. The FDA has issued voluntary recommendations for cybersecurity in medical devices. They’re not legally enforceable, and neither is anything coming out of the NCCoE.