Date Published: August 2021
Comments Due:
Email Questions to:
Author(s)
Nakia Grayson (NIST), Ronald Pulivarti (NIST), Bronwyn Hodges (MITRE), Kevin Littlefield (MITRE), Julie Snyder (MITRE), Sue Wang (MITRE), Ryan Williams (MITRE)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) has released a new draft project description for Mitigating Cybersecurity Risk in Telehealth Smart Home Integration. The publication of this project description begins a process to further identify project requirements, scope, and hardware and software components for use in a laboratory environment.
We want your feedback on this draft to help refine the project. The comment period is now open and will close on October 4th, 2021.
What is this Project About?
Telehealth technology and its use has advanced alongside the "Internet of Things (IoT)". Healthcare solutions may allow patients to use consumer-grade IoT devices to review their health information and interact with systems operated by a healthcare delivery organization (HDO). Individuals may use IoT devices to obtain lab results, schedule visitations with their care team, set reminders for appointments, or request prescription refills, for example.
IoT brings novel capabilities to consumers in their homes. However, with those capabilities, IoT compels technology adopters to re-think how they may need to secure their home environment and the networks with which their homes interconnect. This project will result in a practice guide that describes a reference architecture for smart home integration with healthcare systems as part of a telehealth program.
We Want to Hear from You!
Review the project description and submit comments online on or before October 4th, 2021. You can also help shape and contribute to this project by joining the NCCoE’s Healthcare Community of Interest. Send an email to hit_nccoe@nist.gov detailing your interest. We value and welcome your input and look forward to your comments.
This project's goal is to provide HDOs with practical solutions for securing an ecosystem that incorporates consumer-owned smart home devices into an HDO-managed telehealth solution. This project will result in a freely available NIST Cybersecurity Practice Guide.
While the healthcare landscape began telehealth adoption that parallels technology advancement over recent years, 2020 acted as a catalyst for healthcare delivery organizations expanding patient interaction and monitoring. Telehealth advances coincide with a proliferation of IoT devices, including smart home speakers. This project will analyze how consumers use smart home devices as an interface into the telehealth ecosystem. Smart home devices offer enhanced, multi-sensory user experiences that allow individuals to converse with technology naturally. While the user experience may be improved, practitioners may find challenges associated with deploying mitigating controls that limit cybersecurity and privacy risk given that devices may use proprietary or purpose-built operating systems that do not allow engineers to add protective software. Practices and guidance are available for safeguarding computer systems. However, smart home devices use voice command and response, which differ from text- or graphic-based user interfaces. For example, common security approaches based on computer systems that depend on an individual's ability to provide usernames and passwords may not be applicable.
The project team will apply the NIST Cybersecurity Framework, NIST Privacy Framework, and the NIST Risk Management Framework to identify threats and risks to the smart home integrated telehealth ecosystem. The project will focus on three common scenarios that involve using smart home devices interacting with clinical systems in a laboratory environment. The project team will develop a reference design and a detailed description of the practical steps needed to implement a secure solution based on standards and best practices.
This project's goal is to provide HDOs with practical solutions for securing an ecosystem that incorporates consumer-owned smart home devices into an HDO-managed telehealth solution. This project will result in a freely available NIST Cybersecurity Practice Guide. While the healthcare landscape...
See full abstract
This project's goal is to provide HDOs with practical solutions for securing an ecosystem that incorporates consumer-owned smart home devices into an HDO-managed telehealth solution. This project will result in a freely available NIST Cybersecurity Practice Guide.
While the healthcare landscape began telehealth adoption that parallels technology advancement over recent years, 2020 acted as a catalyst for healthcare delivery organizations expanding patient interaction and monitoring. Telehealth advances coincide with a proliferation of IoT devices, including smart home speakers. This project will analyze how consumers use smart home devices as an interface into the telehealth ecosystem. Smart home devices offer enhanced, multi-sensory user experiences that allow individuals to converse with technology naturally. While the user experience may be improved, practitioners may find challenges associated with deploying mitigating controls that limit cybersecurity and privacy risk given that devices may use proprietary or purpose-built operating systems that do not allow engineers to add protective software. Practices and guidance are available for safeguarding computer systems. However, smart home devices use voice command and response, which differ from text- or graphic-based user interfaces. For example, common security approaches based on computer systems that depend on an individual's ability to provide usernames and passwords may not be applicable.
The project team will apply the NIST Cybersecurity Framework, NIST Privacy Framework, and the NIST Risk Management Framework to identify threats and risks to the smart home integrated telehealth ecosystem. The project will focus on three common scenarios that involve using smart home devices interacting with clinical systems in a laboratory environment. The project team will develop a reference design and a detailed description of the practical steps needed to implement a secure solution based on standards and best practices.
Hide full abstract
Keywords
application programming interface; API; application security; cybersecurity; data privacy; data privacy and security risks; health delivery organization; HDO; Internet of Things; IoT; smart home; telehealth
Control Families
Access Control; Configuration Management; Identification and Authentication; Risk Assessment