81 FR 4016 - National Cybersecurity Center of Excellence (NCCoE) Wireless Medical Infusion Pumps Use Case for the Health Care Sector
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology Federal Register Volume 81, Issue 15 (January 25, 2016)
National Institute of Standards and Technology
Federal Register Volume 81, Issue 15 (January 25, 2016)
| Page Range | 4016-4018 | |
| FR Document | 2016-01344 |
[Federal Register Volume 81, Number 15 (Monday, January 25, 2016)] [Notices] [Pages 4016-4018] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-01344] ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Institute of Standards and Technology [Docket No.: 151217999-5999-01] RIN 0693-XC058 National Cybersecurity Center of Excellence (NCCoE) Wireless Medical Infusion Pumps Use Case for the Health Care Sector AGENCY: National Institute of Standards and Technology, Department of Commerce. ACTION: Notice. ----------------------------------------------------------------------- SUMMARY: The National Institute of Standards and Technology (NIST) invites organizations to provide products and technical expertise to support and demonstrate security platforms for the Wireless Medical Infusion Pumps use case for the health care sector. This notice is the initial step for the National Cybersecurity Center of Excellence (NCCoE) in collaborating with technology companies to address cybersecurity challenges identified under the Health Care Sector program. Participation in the use case is open to all interested organizations. DATES: Interested parties must contact NIST to request a letter of interest template to be completed and submitted to NIST. Letters of interest will be accepted on a first come, first served basis. Collaborative activities will commence as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities, but no earlier than February 24, 2016. When the use case has been completed, NIST will post a notice on the NCCoE Health Care Sector program Web site at https://nccoe.nist.gov/projects/use_cases/health_it announcing the completion of the use case and informing the public that it will no longer accept letters of interest for this use case. ADDRESSES: The NCCoE is located at 9700 Great Seneca Highway, Rockville, MD 20850. Letters of interest must be submitted to HIT_NCCoE@nist.gov; or via hardcopy to National Institute of Standards and Technology, NCCoE; 100 Bureau Drive, MS 2002, Gaithersburg, MD, 20899. Organizations whose letters of interest are accepted in accordance with the process set forth in the SUPPLEMENTARY INFORMATION section of [[Page 4017]] this notice will be asked to sign a Cooperative Research and Development Agreement (CRADA) with NIST. A CRADA template can be found at: https://nccoe.nist.gov/library/nccoe-consortium-crada-example. FOR FURTHER INFORMATION CONTACT: Gavin O'Brien via email at HIT_NCCoE@nist.gov; by telephone 240-314-6815; or by mail to National Institute of Standards and Technology, NCCoE; 100 Bureau Drive, MS 2002, Gaithersburg, MD, 20899. Additional details about the NCCoE Health Care Sector program are available at https://nccoe.nist.gov/projects/use_cases/health_it. SUPPLEMENTARY INFORMATION: Background: The NCCoE, part of NIST, is a public-private collaboration for accelerating the widespread adoption of integrated cybersecurity tools and technologies. The NCCoE brings together experts from industry, government, and academia under one roof to develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. By accelerating dissemination and use of these integrated tools and technologies for protecting IT assets, the NCCoE will enhance trust in U.S. IT communications, data, and storage systems; reduce risk for companies and individuals using IT systems; and encourage development of innovative, job-creating cybersecurity products and services. Process: NIST is soliciting responses from all sources of relevant security capabilities (see below) to enter into a Cooperative Research and Development Agreement (CRADA) to provide products and technical expertise to support and demonstrate security platforms for the Wireless Medical Infusion Pumps use case for the health care sector. The full use case can be viewed at: https://nccoe.nist.gov/projects/use_cases/health_it. Interested parties should contact NIST using the information provided in the FOR FURTHER INFORMATION CONTACT section of this notice. NIST will then provide each interested party with a letter of interest template, which the party must complete, certify that it is accurate, and submit to NIST. NIST will contact interested parties if there are questions regarding the responsiveness of the letters of interest to the use case objective or requirements identified below. NIST will select participants who have submitted complete letters of interest on a first come, first served basis within each category of product components or capabilities listed below up to the number of participants in each category necessary to carry out this use case. However, there may be continuing opportunity to participate even after initial activity commences. Selected participants will be required to enter into a consortium CRADA with NIST (for reference, see ADDRESSES section above). NIST published a notice in the Federal Register on October 19, 2012 (77 FR 64314) inviting U.S. companies to enter into National Cybersecurity Excellence Partnerships (NCEPs) in furtherance of the NCCoE. For this demonstration project, NCEP partners will not be given priority for participation. Use Case Objective: In the past, medical devices were standalone instruments that interacted only with the patient. Today, medical devices have operating systems and communication hardware that allow them to connect to networks and other devices. While this technology has created more powerful tools and improved health care, it has led to additional risks in safety and security. The goal of this use case is to help health care providers secure their medical devices on an enterprise network, with a specific focus on wireless infusion pumps.\1\ This use case begins the process to identify the actors interacting with infusion pumps, define the interactions between the actors and the system, perform a risk assessment, identify applicable mitigating security technologies, and provide an example implementation. --------------------------------------------------------------------------- \1\ For purposes of this notice, NIST is adopting the definition of external infusion pumps provided on the Food and Drug Administration (FDA) Protecting and Promoting Your Health Web site as: ``Medical devices that deliver fluids, including nutrients and medications such as antibiotics, chemotherapy drugs, and pain relievers, into a patient's body in controlled amounts. Many types of pumps, including large volume, patient-controlled analgesia, elastomeric, syringe, enteral, and insulin pumps, are used worldwide in health care facilities such as hospitals, and in the home.'' http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/GeneralHospitalDevicesandSupplies/InfusionPumps/. --------------------------------------------------------------------------- Clinicians and patients rely on infusion pumps for safe and accurate administration of fluids and medications. However, the FDA has identified problems that can compromise the safe use of external infusion pumps. These issues can lead to over or under-infusion, missed treatments, or delayed therapy. The publication of the use case is merely the beginning of a process that will identify research participants and components of a laboratory environment to identify, evaluate and test relevant security tools and controls. The approach may include: risk assessment and analysis, logical design, build development, test & evaluation and security control mapping. The output of the process will be the publication of a multi-part Practice Guide to assist the community in evaluating the security environment surrounding their infusion pumps deployed in a clinical setting. A detailed description of the Wireless Medical Infusion Pumps use case is available at https://nccoe.nist.gov/projects/use_cases/health_it Requirements: Each responding organization's letter of interest should identify which security platform component(s) or capability(ies) it is offering. Letters of interest should not include company proprietary information, and all components and capabilities must be commercially available. Components are listed in section two of the Wireless Medical Infusion Pumps use case (for reference, please see the link in the PROCESS section above) and include, but are not limited to: 1. Wireless infusion pump 2. Pump server 3. Network 4. Alarm manager 5. Electronic medication administration record (eMAR) 6. Point of care medication system 7. In hospital pharmacy system 8. Computerized physician order entry (CPOE) 9. IT security system 10. Network security system 11. Credentialing/credentialing server 12. Asset management and monitoring systems Each responding organization's letter of interest should identify how their products address one or more of the following desired solution characteristics in the Security Control Map section of the Wireless Medical Infusion Pumps use case (for reference, please see the link in the PROCESS section above): 1. Automatic logoff 2. Audit controls 3. Authorization 4. Configuration of security features 5. Cybersecurity product upgrades 6. Data backup and disaster recovery 7. Emergency access 8. Health data de-identification 9. Health data integrity and authenticity 10. Malware detection/protection 11. Node authentication 12. Person authentication 13. Physical locks and devices 14. Security guides 15. System and application hardening 16. Third-party components in product lifecycle roadmaps 17. Health data storage confidentiality [[Page 4018]] 18. Transmission confidentiality 19. Transmission integrity Responding organizations need to understand and, in their letters of interest, commit to provide: 1. Access for all participants' project teams to component interfaces and the organization's experts necessary to make functional connections among security platform components. 2. Support for development and demonstration of the Wireless Medical Infusion Pump capability in NCCoE facilities which will be conducted in a manner consistent with Federal requirements (e.g., FIPS 200, FIPS 201, SP 800-53, and SP 800-63). Additional details about the Wireless Medical Infusion Pumps use case for the Health care sector are available at https://nccoe.nist.gov/projects/use_cases/health_it. NIST cannot guarantee that all of the products proposed by respondents will be used in the demonstration. Each prospective participant will be expected to work collaboratively with NIST staff and other project participants under the terms of the consortium CRADA in the development of the Wireless Medical Infusion Pump capability. Prospective participants' contribution to the collaborative effort will include assistance in establishing the necessary interface functionality, connection and set- up capabilities and procedures, demonstration harnesses, environmental and safety conditions for use, integrated platform user instructions, and demonstration plans and scripts necessary to demonstrate the desired capabilities. Each participant will train NIST personnel, as necessary, to operate its product in capability demonstrations to the health care community. Following successful demonstrations, NIST will publish a description of the security platform and its performance characteristics sufficient to permit other organizations to develop and deploy security platforms that meet the security objectives of the Wireless Medical Infusion Pumps use case. These descriptions will be public information. Under the terms of the consortium CRADA, NIST will support development of interfaces among participants' products by providing IT infrastructure, laboratory facilities, office facilities, collaboration facilities, and staff support to component composition, security platform documentation, and demonstration activities. The dates of the demonstration of the Wireless Medical Infusion Pump capability will be announced on the NCCoE Web site at least two weeks in advance at https://nccoe.nist.gov/. The expected outcome of the demonstration is to improve wireless medical infusion pumps across an entire health care sector enterprise. Participating organizations will gain from the knowledge that their products are interoperable with other participants' offerings. For additional information on the NCCoE governance, business processes, and NCCoE operational structure, visit the NCCoE Web site https://nccoe.nist.gov/. Richard Cavanagh, Acting Associate Director for Laboratory Programs. [FR Doc. 2016-01344 Filed 1-22-16; 8:45 am] BILLING CODE 3510-13-P
![4016
Notices Federal Register
Vol. 81, No. 15
Monday, January 25, 2016
This section of the FEDERAL REGISTER I. Abstract DEPARTMENT OF COMMERCE
contains documents other than rules or
The Department of Commerce, in
proposed rules that are applicable to the National Institute of Standards and
public. Notices of hearings and investigations, coordination with the Department of
Technology
committee meetings, agency decisions and Defense and other Federal agencies,
rulings, delegations of authority, filing of conducts survey assessments of U.S. [Docket No.: 151217999–5999–01]
petitions and applications and agency industrial base sectors deemed critical RIN 0693–XC058
statements of organization and functions are to U.S. national security. The
examples of documents appearing in this information gathered is necessary to National Cybersecurity Center of
section. determine the health and Excellence (NCCoE) Wireless Medical
competitiveness as well as the needs of Infusion Pumps Use Case for the
these critical market segments in order Health Care Sector
DEPARTMENT OF COMMERCE to maintain a strong U.S. industrial
base. AGENCY: National Institute of Standards
Bureau of Industry and Security and Technology, Department of
II. Method of Collection Commerce.
Proposed Information Collection;
Submitted electronically. ACTION: Notice.
Comment Request; National Security
and Critical Technology Assessments III. Data SUMMARY: The National Institute of
of the U.S. Industrial Base Standards and Technology (NIST)
OMB Control Number: 0694–0119.
AGENCY: Bureau of Industry and Form Number(s): N/A. invites organizations to provide
Security, Commerce. Type of Review: Regular submission products and technical expertise to
ACTION: Notice. extension. support and demonstrate security
Affected Public: Business or other for- platforms for the Wireless Medical
SUMMARY: The Department of profit organizations. Infusion Pumps use case for the health
Commerce, as part of its continuing Estimated Number of Respondents: care sector. This notice is the initial step
effort to reduce paperwork and 28,000. for the National Cybersecurity Center of
respondent burden, invites the general Estimated Time per Response: 8 to 14 Excellence (NCCoE) in collaborating
public and other Federal agencies to hours per response. with technology companies to address
take this opportunity to comment on Estimated Total Annual Burden cybersecurity challenges identified
proposed and/or continuing information Hours: 308,000 hours. under the Health Care Sector program.
collections, as required by the Estimated Total Annual Cost to Participation in the use case is open to
Paperwork Reduction Act of 1995. Public: $0. all interested organizations.
DATES: Written comments must be IV. Request for Comments DATES: Interested parties must contact
submitted on or before March 25, 2016. NIST to request a letter of interest
Comments are invited on: (a) Whether
ADDRESSES: Direct all written comments template to be completed and submitted
the proposed collection of information
to Jennifer Jessup, Departmental to NIST. Letters of interest will be
is necessary for the proper performance
Paperwork Clearance Officer, accepted on a first come, first served
of the functions of the agency, including
Department of Commerce, Room 6616, basis. Collaborative activities will
whether the information shall have
14th and Constitution Avenue NW., commence as soon as enough completed
practical utility; (b) the accuracy of the
Washington, DC 20230 (or via the and signed letters of interest have been
agency’s estimate of the burden
Internet at JJessup@doc.gov). returned to address all the necessary
(including hours and cost) of the
FOR FURTHER INFORMATION CONTACT: components and capabilities, but no
proposed collection of information; (c)
Requests for additional information or earlier than February 24, 2016. When
ways to enhance the quality, utility, and
copies of the information collection the use case has been completed, NIST
clarity of the information to be
instrument and instructions should be will post a notice on the NCCoE Health
collected; and (d) ways to minimize the
directed to Mark Crace, BIS ICB Liaison, Care Sector program Web site at https://
burden of the collection of information
(202) 482–8093, Mark.Crace@ nccoe.nist.gov/projects/use_cases/
on respondents, including through the
bis.doc.gov. health_it announcing the completion of
use of automated collection techniques
The link below clarifies the policies the use case and informing the public
or other forms of information
and procedures of the Bureau of that it will no longer accept letters of
technology.
Industry and Security (BIS) for Comments submitted in response to interest for this use case.
conducting surveys to obtain this notice will be summarized and/or ADDRESSES: The NCCoE is located at
information in order to perform industry included in the request for OMB 9700 Great Seneca Highway, Rockville,
studies assessing the U.S. industrial MD 20850. Letters of interest must be
asabaliauskas on DSK5VPTVN1PROD with NOTICES
approval of this information collection;
base to support the national defense they also will become a matter of public submitted to HIT_NCCoE@nist.gov; or
pursuant to the Defense Production Act record. via hardcopy to National Institute of
of 1950, as amended. https:// Standards and Technology, NCCoE; 100
www.federalregister.gov/articles/2015/ Sheleen Dumas, Bureau Drive, MS 2002, Gaithersburg,
07/15/2015-17388/us-industrial-base- Departmental PRA Lead, Office of the Chief MD, 20899. Organizations whose letters
surveys-pursuant-to-the-defense- Information Officer. of interest are accepted in accordance
production-act-of-1950 [FR Doc. 2016–01338 Filed 1–22–16; 8:45 am] with the process set forth in the
SUPPLEMENTARY INFORMATION: BILLING CODE 3510–33–P SUPPLEMENTARY INFORMATION section of
VerDate Sep<11>2014 13:09 Jan 22, 2016 Jkt 238001 PO 00000 Frm 00001 Fmt 4703 Sfmt 4703 E:\FR\FM\25JAN1.SGM 25JAN1](https://thefederalregister.org/doc/81_FR_4031/page/1.svg)
![4018 Federal Register / Vol. 81, No. 15 / Monday, January 25, 2016 / Notices
18. Transmission confidentiality advance at https://nccoe.nist.gov/. The Fishery Conservation and Management
19. Transmission integrity expected outcome of the demonstration Act and the Northern Pacific Halibut
Responding organizations need to is to improve wireless medical infusion Act.
understand and, in their letters of pumps across an entire health care DATES: Comments on this EFP
interest, commit to provide: sector enterprise. Participating application must be submitted to NMFS
1. Access for all participants’ project organizations will gain from the on or before February 9, 2016. The
teams to component interfaces and the knowledge that their products are North Pacific Fishery Management
organization’s experts necessary to make interoperable with other participants’ Council (Council) will consider the
functional connections among security offerings. application at its meeting from February
platform components. For additional information on the 1, 2016, through February 9, 2016, in
2. Support for development and NCCoE governance, business processes, Portland, OR.
demonstration of the Wireless Medical and NCCoE operational structure, visit ADDRESSES: The Council meeting will be
Infusion Pump capability in NCCoE the NCCoE Web site https:// held at the Benson Hotel, 309 SW
facilities which will be conducted in a nccoe.nist.gov/. Broadway, Portland, OR 97205. The
manner consistent with Federal Richard Cavanagh, agenda for the Council meeting is
requirements (e.g., FIPS 200, FIPS 201, Acting Associate Director for Laboratory available at http://www.npfmc.org. You
SP 800–53, and SP 800–63). Programs. may submit comments on this
Additional details about the Wireless [FR Doc. 2016–01344 Filed 1–22–16; 8:45 am] document, identified by NOAA–NMFS–
Medical Infusion Pumps use case for the 2015–0162, by any of the following
BILLING CODE 3510–13–P
Health care sector are available at methods:
https://nccoe.nist.gov/projects/use_ • Electronic Submission: Submit all
cases/health_it. NIST cannot guarantee DEPARTMENT OF COMMERCE electronic public comments via the
that all of the products proposed by Federal e-Rulemaking Portal. Go to
respondents will be used in the National Oceanic and Atmospheric www.regulations.gov/
demonstration. Each prospective Administration #!docketDetail;D=NOAA-NMFS-2015-
participant will be expected to work 0162, click the ‘‘Comment Now!’’ icon,
collaboratively with NIST staff and RIN 0648–XE370
complete the required fields, and enter
other project participants under the or attach your comments.
Fisheries of the Exclusive Economic
terms of the consortium CRADA in the • Mail: Submit written comments to
Zone off Alaska; Application for an
development of the Wireless Medical Glenn Merrill, Assistant Regional
Exempted Fishing Permit
Infusion Pump capability. Prospective Administrator, Sustainable Fisheries
participants’ contribution to the AGENCY: National Marine Fisheries Division, Alaska Region NMFS, Attn:
collaborative effort will include Service (NMFS), National Oceanic and Ellen Sebastian. Mail comments to P.O.
assistance in establishing the necessary Atmospheric Administration (NOAA), Box 21668, Juneau, AK 99802–1668.
interface functionality, connection and Commerce. Instructions: Comments sent by any
set-up capabilities and procedures, ACTION: Notice; receipt of application for other method, to any other address or
demonstration harnesses, environmental exempted fishing permit. individual, or received after the end of
and safety conditions for use, integrated the comment period, may not be
platform user instructions, and SUMMARY: This notice announces receipt considered. All comments received are
demonstration plans and scripts of an exempted fishing permit (EFP) a part of the public record and will
necessary to demonstrate the desired application from the Alaska Seafood generally be posted for public viewing
capabilities. Each participant will train Cooperative (AKSC) and co-applicants. on www.regulations.gov without change.
NIST personnel, as necessary, to operate If granted, this EFP would allow the All personal identifying information
its product in capability demonstrations applicants to remove halibut from a (e.g., name, address) submitted
to the health care community. trawl codend on the deck, and release voluntarily by the sender will be
Following successful demonstrations, those fish back to the water in a timely publicly accessible. NMFS will accept
NIST will publish a description of the manner to increase survivability. These anonymous comments (enter ‘‘N/A’’ in
security platform and its performance halibut would be sampled by NMFS- the required fields if you wish to remain
characteristics sufficient to permit other trained observers for length and anonymous).
organizations to develop and deploy physical condition using standard Electronic copies of the EFP
security platforms that meet the security International Pacific Halibut application and the basis for a
objectives of the Wireless Medical Commission (IPHC) halibut mortality categorical exclusion under the National
Infusion Pumps use case. These assessment methods. The objectives of Environmental Policy Act are available
descriptions will be public information. the EFP application are to (1) test from the Alaska Region, NMFS Web site
Under the terms of the consortium methods for sorting halibut on deck for at http://alaskafisheries.noaa.gov/.
CRADA, NIST will support suitability as an allowable fish handling The June 2014 IPHC Report is
development of interfaces among mode for the non-pollock catcher/ available from the Council Web site at
participants’ products by providing IT processor trawl fisheries (Amendment http://www.npfmc.org.
infrastructure, laboratory facilities, 80, community development quota FOR FURTHER INFORMATION CONTACT: Julie
office facilities, collaboration facilities, (CDQ), and trawl limited access) in the Scheurer, 907–586–7111.
asabaliauskas on DSK5VPTVN1PROD with NOTICES
and staff support to component Bering Sea and Aleutian Islands under SUPPLEMENTARY INFORMATION: NMFS
composition, security platform an eventual regulated program; (2) manages the domestic groundfish
documentation, and demonstration simplify and improve on elements that fisheries in the Bering Sea and Aleutian
activities. worked under a 2015 deck sorting EFP Islands management area (BSAI) under
The dates of the demonstration of the project; and (3) address challenges and the Fishery Management Plan for
Wireless Medical Infusion Pump issues that arose in the 2015 EFP. This Groundfish of the Bering Sea and
capability will be announced on the experiment has the potential to promote Aleutian Islands Management Area
NCCoE Web site at least two weeks in the objectives of the Magnuson-Stevens (FMP), which the Council prepared
VerDate Sep<11>2014 13:09 Jan 22, 2016 Jkt 238001 PO 00000 Frm 00003 Fmt 4703 Sfmt 4703 E:\FR\FM\25JAN1.SGM 25JAN1](https://thefederalregister.org/doc/81_FR_4031/page/3.svg)
Document Created: 2018-02-02 12:35:11
Document Modified: 2018-02-02 12:35:11
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Notices | |
| Action | Notice. | |
| Dates | Interested parties must contact NIST to request a letter of interest template to be completed and submitted to NIST. Letters of interest will be accepted on a first come, first served basis. Collaborative activities will commence as soon as enough completed and | |
| Contact | Gavin O'Brien via email at [email protected]; by telephone 240-314-6815; or by mail to National Institute of Standards and Technology, NCCoE; 100 Bureau Drive, MS 2002, Gaithersburg, MD, 20899. Additional details about the NCCoE Health Care Sector program are available at https://nccoe.nist.gov/ projects/use_cases/health_it. | |
| FR Citation | 81 FR 4016 | |
| RIN Number | 0693-XC05 |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR