Executive Summary
Infusion pumps pose a major risk to data security in healthcare facilities. The wireless connection to the pump often can be used to access the computer system.
• The pumps are much more computerized than in the past.
• Infusion pumps from the same vendor have the same login and password.
• Risk Managers Should Demand Improvements From Vendors.
Cyber security experts and healthcare leaders are warning that the biggest threat to your hospital system’s data security might be one of the most innocuous, seemingly harmless devices that doesn’t even appear to have anything to do with your computer system: the infusion pump.
The simple infusion pump poses a grave threat to system security, says Linda Zdon, director of information security and compliance at Allina, a 12-hospital health system based in Minneapolis. Allina spotted the issue during implementation of new infusion pumps recently, when engineers realized the pumps had little security but were connected to the rest of the hospital’s computer system.
“Our network engineers raised some concerns to our security engineers that there could be a weakness with the infusion pumps,” Zdon says. “Infusion pumps are much smarter than they used to be. Five or 10 years ago they were barely computerized, but now they are mini-computers connected by a wireless network so that data can be pushed to them and data can be harvested from them.”
Infusion pumps are ubiquitous because almost every hospital patient uses them at some point, Zdon says. Allina has at least 3,000 across the system, she says. Allina has been working with the National Institute of Standards and Technology (NIST) in Gaithersburg, MD, to develop a “use case,” which is a form of technical analysis, for wireless pumps. The goal is to develop new standards to harden medical devices against cyberattacks and computer viruses.
The American Hospital Association sent a letter to the Food and Drug Administration in November 2014 urging the federal government to hold device manufacturers accountable for cybersecurity. In December, NIST warned healthcare providers of the cyber risks from infusion pumps and noted that “[w]hile this technology has created more powerful tools and improved health care, it has led to additional risks in safety and security.”
The digitation of medical records and value of personal health information (PHI) on the black market makes the healthcare industry particularly vulnerable to data breaches, notes Michael Bruemmer, vice president of Experian Data Breach Resolution in Austin, TX. In fact, the healthcare sector represented about 42% of all major data breaches in 2014 alone, he says. He expects to see that percentage grow.
“In order to protect patient data and avoid hefty regulator fines, the industry needs to come up with a stronger solution to improve its cybersecurity strategies and be prepared for the likelihood of a data breach,” Bruemmer says. “This means conducting frequent security training with employees, investing in the most up-to-date security technologies, and having a strong data breach response plan in place so a company can react immediately when a breach is discovered.” (For more on cyber security and response to a data breach, see Healthcare Risk Management, August 2014, pp. 78-81.)
Addressing the risk can be challenging because vendors are more focused on the pump itself and offer little help with securing the network that the pump is connected to, Zdon says. Risk managers will have to work with their own network engineers to secure the network, with some input from the vendor, she says.
One difficulty is that infusion pumps from the same company have a single password for every pump across the country, Zdon says. That universal password makes it difficult to secure the unit itself from hackers, which practically eliminates the first step that any network engineer would want to take, she explains. But it also would not be practical for even every infusion pump in a facility to have its own unique password.
“We need to work with vendors to make the security of the individual devices better, but on the other hand if they make the security really good, at some point the device becomes almost unusable,” Zdon explains. “It’s a balancing act.”
In the past, the IT department at healthcare facilities has not been responsible for managing infusion pumps because they were not computerized in a significant way, Zdon notes. Medical device managers or bioengineers were more likely to be responsible. Now, Zdon says, the risk manager might need to get both departments together to develop a security plan for infusion pumps.
Infusion pumps are a good example of companies trading easy access for security, says Sergio Galindo, president of GFI Software in Durham, NC, and a former hacker himself. He notes how often major software companies such as Microsoft and Adobe issue security fixes for their products, but infusion pumps have a similar underlying operating system that is rarely, if ever, updated. “Even if the infusion pumps need only a tenth of the security patches that Microsoft issues, there still should be significant updates that could respond to bugs or new developments in what hackers are doing,” he says. “Hospitals need to put pressure on the vendors to treat these devices like the computers they are and not let them get away with saying they’re just infusion pumps and not computers.”
Before signing contracts with an infusion pump vendor, the hospital should require an explanation of how the vendor will issue updates, who they will go to at the hospital, and how the hospital’s engineers can receive help from the vendor to secure the infusion pump network, Galindo says.
“One good strategy is to bring in an IT tester, sometimes called a ‘white hat,’ and have them go around the hospital to see what they can access,” Galindo suggests. “Whether its infusion pumps, Wi-Fi, or a device that is broadcasting information that it shouldn’t, a person with the same skills as a hacker can find your weak points.”
Michael Bruemmer, Vice President, Experian Data Breach Resolution, Austin, TX. Email: [email protected].
Sergio Galindo, President of GFI Software in Durham, NC. Telephone: (781) 418-2474.
Linda Zdon, Director of Information Security and Compliance, Allina, Minneapolis. Email: [email protected].
