Guarding the flow: Enhancing cybersecurity measures for infusion pump systems

Strengthening security measures in widely used hospital devices helps protect patient safety and the integrity of the healthcare system.
09:20 AM

Photo: Lorado/Getty Images

Insufficient cybersecurity presents a tremendous threat to patient safety. According to the American Hospital Association, it is vital that organizations align their cybersecurity and patient safety initiatives to safeguard both patient health and their networks.1 Far too often, according to Brian Heersink, Information Technology (IT) Director at San Luis Valley Health in Alamosa, Colorado, organizations overlook a widely used access point that can put their entire network at risk: infusion pump systems. Because of the risks posed by outdated software and firmware, inadequate patching, and missing updates, these devices offer a huge opportunity for exploitation.2

“When infusion pumps first showed up on the scene, they just delivered medication. But as connectivity was added to these pumps to help update their software, firmware, and drug libraries, hackers realized they were connected to the network with nothing protecting them,” he explained. “Now that electronic medical record-to-pump connectivity requires a live connection at all times, this is an even bigger concern. Several hospitals have been infiltrated by bad actors who used infusion pumps as a springboard to attack the rest of the network.”

While IT teams attempted to manage the associated vulnerabilities by isolating their pumps, Heersink said that wasn’t enough. To ensure the integrity of communications between infusion pumps and their networks, healthcare organizations should invest in systems that provide convenient ways to manage cybersecurity certificates, pump provisioning, and strong authentication and encryption protocols.

“Certificates allow communication only to and from known devices–and they also help with data encryption at rest,” he added. “Pump provisioning is of benefit because if one pump is compromised–maybe there’s a security vulnerability that happens very quickly and the manufacturer can’t get to it–you can take down one pump instead of having to take down the entire fleet and deal with your patients not being able to get the medications they need.”

San Luis Valley Health decided to invest in the Ivenix Infusion System for just this reason. Heersink said that the fact that each pump leverages advanced computer technology, complete with firewalls and intrusion prevention capabilities, means that his staff can quickly patch and upgrade the pumps to ensure they remain available to provide patients with lifesaving medications.

“Between wireless settings and software updates, we can quickly and easily keep the devices up to date with minimal human intervention,” he explained. “The drug library updates happen in the background and don’t interfere with what the nurses need to do. The management of these systems takes a huge burden away from multiple teams and gives us added assurance that we can better control what’s on our network.”

Considering infusion pumps’ history as a major security concern, Heersink recommends that hospitals and health systems work with vendors who understand the nuances of proper medication management as well as the principles of cybersecurity.

“Infusion pumps are one of the most widely used devices at the hospital. Having the ability to secure them, not just today but into the future, should be part of any IT team’s cybersecurity strategy,” he said. “When you can work with a partner who has a strong security background and understanding as well as a long-term cybersecurity vision, you are in a better position not just to protect your network from potential threats but also to ensure that your patients are getting the care they need.”

Please see a full list of warnings and cautions associated with this device here.

*The opinions expressed in this article are the author's own and do not reflect the view of Fresenius Kabi.

Reference

  1. Riggi J. The importance of cybersecurity in protecting patient safety. AHA Center for Health Innovation. https://www.aha.org/center/cybersecurity-and-risk-advisory-services/importance-cybersecurity-protecting-patient-safety
  2. Das A. March 22, 2022. Know your infusion pump vulnerabilities and secure your healthcare organization. Unit 42. https://unit42.paloaltonetworks.com/infusion-pump-vulnerabilities/
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.