NIST says providers need more awareness of IoT security risks
Many healthcare organizations are not fully aware that they use a large number of Internet of Things devices that increase breach risks.
That must change, according to the National Institute for Standards and Technology, one of the nation’s oldest physical science laboratories and a part of the Department of Commerce.
“It is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do,” according to a draft document released by NIST to collect insights on IoT issues from stakeholders during a public comment period set to close in October.
Some organizations need to understand how characteristics of IoT affect managing data security risk, including accepting, avoiding, mitigating, sharing or transferring risk, NIST says.
For example, operational requirements for performance, reliability, resilience and safety may be at odds with common cyber and privacy practices for conventional health IT devices. The result could be the need to use manual processes, expand staff knowledge of devices, and address risks with manufacturers and vendors that may have remote access to the devices.
NIST advises that cyber and privacy risks be covered by three mitigation goals. These include protecting device security by preventing a device from being used to conduct attacks; protecting the confidentiality, integrity and availability of data stored on or transmitted to a device; and protecting the privacy of individuals.
Consequently, organizations should adjust organizational policies and processes to address cyber security and privacy risk mitigation challenges throughout a device’s lifecycle.
NIST notes that many organizations are interested in establishing cybersecurity and privacy baselines to support IoT device risk mitigation. Most of these initiatives focus on pre-market cybersecurity and privacy capabilities, which are the capabilities that manufacturers build, or should build in a device.
Some IoT devices only need the device itself secured, while other devices need the data protected, according to NIST. “A subset of those devices might also need privacy protected in ways that data security protection cannot,” the agency notes. “Existing efforts have not distinguished requirements and recommendations in this way, leaving organizations to determine which ones apply to any particular IoT device implementation and usage.”
NIST acknowledges that few recommendations can be made that apply to all IoT devices, but the draft document, in Appendix A, does provide examples of possible universal recommendations.
The complete draft document from NIST is available here.