NIST provides new guidance on managing cybersecurity & privacy risks

The healthcare industry is at the forefront of technological adoption when it comes to utilizing the Internet of Things (IoT) for improving operational processes and patient care. A global study undertaken in 2017 revealed that 60% of healthcare organizations use IoT devices on their premises, and 87% plan to introduce more IoT technology by 2019.

IoT technology offers many benefits, such as allowing healthcare organizations to provide personalized and on-time care for their patients. Patient monitoring and maintenance are also some of the most common reasons for healthcare organizations to use IoT technology. However, given that 89% of healthcare organizations have suffered from an IoT related security breach, there are evidently significant risks involved too.

In recognition of this statistic, the National Institute of Standards and Technology (NIST) recently released guidance that aims to help organizations understand the risks associated with IoT devices, and how to manage the cybersecurity and privacy vulnerabilities that IoT technology can introduce.

Within this document, NIST highlights three high-level considerations that can have an impact on the management of IoT related risks:

  • IoT devices typically interact with the physical world in a different way to conventional IT devices.
  • Many IoT devices cannot be accessed, managed or monitored in the same ways as traditional IT devices.
  • The availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices in comparison to conventional IT devices.

The cybersecurity and privacy risks presented by IoT devices need to be addressed for the entire lifecycle of the device. NIST’s guidelines further explain how these risks can be considered in terms of three high-level mitigation goals:

  • Preventing IoT devices from being used to conduct an attack.
  • Protecting the confidentiality, integrity, and availability of data collected by, stored on, processed by, or transmitted to or from the IoT device.
  • Protecting the privacy of individuals.

Throughout the report, guidance is provided to help organizations meet the above goals and highlight any major challenges they may face when trying to achieve those goals. In order to help ensure these risk mitigation goals are met, NIST provides key recommendations to aid organizations to address the cybersecurity risks and challenges.

  • Understand the potential risk considerations and challenges that IoT devices might cause when mitigating cybersecurity and privacy risks for IoT devices in the appropriate risk mitigation areas.
  • Adjust any current organizational policies and processes to help address the cybersecurity and privacy risk mitigation challenges throughout the IoT device lifecycle.
  • Implement the changes and updated mitigation practices for any IoT devices within the organization as you would with any other security changes.

The guidance within NIST’s document provides a great starting point for healthcare organizations concerned with improving IoT security. It is, however, important to remember that due to the diversity of IoT devices these recommendations might not be appropriate for all scenarios depending on the level of risk and type of device.

To find out more visit https://www.nist.gov/topics/internet-things-iot