ICU Medical taps Imprivata for device cybersecurity support
ICU Medical has teamed up with IT security company Imprivata to protect network-connected infusion pumps from cyber attacks.
The partners hope to make advances that enable the identification of users and otherwise improve the physical and cybersecurity of infusion pumps.
News of the collaboration comes two months after the U.S. National Cybersecurity Center of Excellence (NCCoE) published a report into the security of wireless infusion pumps.
Network-connected infusion pumps and the ecosystems of devices they interact with face a range of security threats. As the NCCoE noted in its report, hackers could access protected health information, change drug doses and otherwise interfere with the function of pumps. These are real concerns. Last year, researchers discovered vulnerabilities in infusion pumps made by BD and Smiths Medical.
In response to these threats, ICU has enlisted the support of healthcare security specialist Imprivata. Today, Imprivata is best known for a single sign-on system designed to free healthcare professionals from the need to repeatedly enter usernames and passwords without compromising security. The collaboration with ICU will build on Imprivata's experience in this area.
"Infusion pumps are rapidly increasing in their level of integration on hospital networks as EHR integration is becoming the standard of care," Wes Wright, chief technology officer at Imprivata, said in a statement. "We're excited to work closely with ICU Medical to innovate new ways to lock down these connected devices and authenticate users with security profiles."
Through these efforts, Imprivata and ICU aim to create a fast, secure authentication system to limit access to patient information. The collaborators also hope to improve the security and auditing of medical devices.
If successful, the alliance will address some of the many vulnerabilities related to infusion pumps. In its report, the NCCoE picked out several ways user accounts create opportunities for wrongdoing. The U.S. agency is concerned about weak authentication measures and the lack of role-based access.