VA Waives FIPS 140-2 Requirement for Wi-Fi® Patient Monitor

According to a press release from Draeger®, the Veteran's Administration® is deploying Draeger’s Infinity M300 patient monitors on its Wi-Fi® networks, even though the monitors are not validated for FIPS 140-2.  To get around the FIPS 140-2 requirement, the VA issued a waiver for the monitors.

“This decision by the VA to allow use of its wireless network for patient telemetry represents the first such use within the VA hospital environment,” says Rick Sullivan, VP of Government Affairs at Draeger.

Why did VA issue the waiver?  Is it because Draeger “is committed to obtaining FIPS 140-2, Level 1 certification for a future” patient monitor?  A lot of medical device vendors have a similar commitment but, as we discuss in our white paper on FIPS 140-2, obtaining a FIPS 140-2 validation for a Wi-Fi client device can be very challenging.  That’s why no patient monitors are validated!

Perhaps the Draeger monitors do not transmit sensitive information, such as patient identification, across the network.  We cannot review the waiver because it is posted only on the VA intranet and not on an external Web site.

View a previous post on FIPS 140-2 security in VA hospitals here.