MINNEAPOLIS — The humble infusion pump: It stands sentinel in the hospital room, injecting patients with measured doses of drugs and writing information to their electronic medical records.
But what if hackers and identity thieves could hijack a pump on a hospital’s information network and use it to eavesdrop on sensitive data such as patient identity and billing data for the entire hospital?
It is not a far-fetched scenario. Although the hacking of wireless infusion pumps hasn’t happened, it is considered a critical cybersecurity vulnerability in hospitals — so much so that federal authorities are focusing on the pumps as part of a wide-ranging effort to develop guidelines to prevent cyberattacks against medical devices.
Pumps with Wi-Fi were selected to kick off the new effort because their individual vulnerabilities are magnified by their sheer numbers in hospitals and clinics.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
“Infusion pumps are ubiquitous,” said Linda Zdon, director of information security and compliance at Allina Health, a 12-hospital system in the Minneapolis-St. Paul area that has more than 3,000 pumps.
“Almost every hospital patient at some point has an infusion pump. So it certainly strikes at an area that has a broad application for most patients, and therefore has a significant impact on health systems.”
Device makers say they’re working to improve security, but hospitals complain that the companies have been moving too slowly on a vulnerability that puts hospitals’ information systems at risk.
In a Nov. 21 letter to the U.S. Food and Drug Administration, the American Hospital Association urged the government to “hold device manufacturers accountable for cybersecurity.”
The Homeland Security Department, meanwhile, is reportedly investigating suspected cybersecurity flaws in one model of infusion pump.
Patients tend to fear that a malicious person would try to steal data or even scramble the dosing instructions for a pump. Although those risks are real, they are far less likely than a hack to gain access to a hospital’s wider network traffic, security experts say. Attacking an individual through a pump would draw attention and close off what could be a potentially lucrative entry point to many patients’ data.
The National Institute of Standards and Technology unveiled a project in December in a presentation before the University of Minnesota’s Technological Leadership Institute. Several people there likened hospitals’ infusion-pump vulnerability to what happened at Target Corp. In 2013, hackers accessed personal data on more than 70 million customers after breaching the retailer’s computer system through a digital side door created for a heating, ventilating and air-conditioning contractor.
“The infusion pump is to the hospital what the HVAC system was to Target. That is, it becomes the vector to get in,” said Ken Hoyme, a computer-security scientist at Adventium Labs in Minneapolis.
The NIST hopes to publish its first set of recommendations as soon as next fall, and then move on to security vulnerabilities in implantable medical devices and large equipment such as magnetic-resonance imaging scanners.
Although it’s a common fear that talking openly about cybersecurity vulnerabilities will give hackers ideas, experts note that attackers would still need an extraordinary amount of skill and access to a device to pull off an attack.
The FDA — working independently from the NIST study — has been concerned about infusion pumps since it launched a 2010 review of software defects and related issues in response to 56,000 reports of adverse events.
Separately, the FDA last fall convened its first cybersecurity conference for medical devices, including infusion-pump makers. After the FDA meeting, Reuters reported that Homeland Security officials have opened investigations into suspected cybersecurity flaws in medical devices, including an infusion pump sold by supplier Hospira.
Hospira, which is listed as the lone maker of devices working with NIST on the infusion-pump guidelines, declined to comment.
CareFusion, a major infusion-pump maker based in San Diego, listed several steps it takes to secure its devices, including working with third-party experts to test and validate product security and using strong data encryption.
After the recent Sony Pictures Entertainment hack, Homeland Security Secretary Jeh Johnson said in a statement, “This event underscores the importance of good cybersecurity practices to rapidly detect cyberintrusions and promote resilience throughout all of our networks. Every CEO should take this opportunity to assess their company’s cybersecurity.”
Date: January 12, 2015