You are here

Medical Device Cybersecurity Tools or Compensating Controls


Medical devices, such as infusion pumps, are a critical component of our national healthcare delivery system. There are millions of digitally connected medical devices in our hospitals, nursing homes, outpatient clinics, other commercial points of care and, increasingly, in the home. These devices are connected to people and to critical networks in these environments, and vulnerabilities in their programming provide entry points for cyber attacks with significant consequences [1].

There will be billions of exposures between patients and connected medical devices over the next 10 years. It is imperative that the technology, security, medical and public health experts collaborate to better design, implement and operate medical devices that compose critical cyber physical human systems.

NIST is working on cybersecurity guidance for wireless infusion pumps [2]. NIST is interested in funding innovative technologies to better secure medical devices, device associated networks to deliver safer clinical work flow and environments. These technologies should have near term commercial potential and promise of adoption by healthcare delivery systems. These technologies would deliver increased awareness of device fitness, function and security threat in the promotion of safer healthcare delivery environments.

Phase I expected results:
Design of the hardware and/or software for a medical device or compensating control for medical device that demonstrates the desired security properties/features while not having a negative impact on the functionality or safety of the device. Some examples of these security properties/feature are malware protection, device monitoring, asset inventory, risk assessment, encryption, patching and updating, device tracking, etc. Description of the threats that the design will counter. Example scenarios of specific attacks that will be thwarted by the device.

Phase II expected results: Provide a prototype that demonstrates the design and attack scenarios from Phase I. Along with the prototype, provide a discussion of the security properties/features it addresses and how this fits within the healthcare ecosystem. Taking into consideration the cyber-safety concerns of medical devices as well as the usability challenges presented within the healthcare environment.

US Flag An Official Website of the United States Government