Endpoint/Device Security, Security Program Controls/Technologies, Distributed Workforce

NIST seeks industry partners for telehealth, smart home risk mitigation

Online healthcare app on smartphone screen.

Taking aim at the mass adoption of smart home devices and telehealth platforms by consumers, NIST is asking healthcare stakeholder groups to join its ongoing project that aims to mitigate these widespread cybersecurity risks.

Each responding organization must identify how their products address one or more of the areas in interest: healthcare delivery organizations, health technology integration system, cloud-hosted service provider, and patient home environment, such as smart home devices, firewall or wireless access point router vendors.

The official request will be published in the federal register on Monday and aims to pool insights into how to address at-home devices that leverage proprietary operating systems that don’t allow for external engineers to add protective software.

While these devices provide an abundance of important health benefits, hospitals and other providers find it challenging to deploy security mitigation controls that could limit swaths of cybersecurity and privacy risks on these devices once they leave the hospital space.

The deployment of remote care technologies rapidly expanded during the COVID-19, with it, the cyber risks posed by vulnerabilities and limited cybersecurity mechanisms.

The National Cybersecurity Center of Excellence, part of NIST, hopes industry leaders will join the upcoming project by providing letters of interest that details their products and technical expertise that could support the “Mitigating Cybersecurity Risk in Telehealth Smart Home Integration” project. 

NCCoE intends to “build an environment” modeling a typical use case of patients using smart speakers in a “four-domain” telehealth ecosystem in an effort to identify and mitigate cybersecurity and privacy risks tied to these ecosystems. The environment will include solution components, a cloud-hosted service provider, and a health tech integration solution.

The model will include a healthcare delivery organization, as well “where each of these groupings represents a respective domain, applying concepts from NIST’s Risk Management Framework, Cybersecurity Framework, and Privacy Framework.

The hope is to identify risk assessment methodologies through applicable privacy and security controls able to mitigate determined risks, along with “commercially available technology and capabilities that enable patient-centric use cases.”

The project will conclude with a publicly available NIST Cybersecurity Practice Guide, detailing the smart home ecosystem, recommendations for healthcare delivery organizations on approaches for risk assessments, mitigating controls, and reference architecture.

The request for comment is just the first step in what NCCoE expects to be a long-term collaboration with relevant tech companies to address ongoing cybersecurity challenges with at-home technologies, including telemedicine.

Once NCCoE receives “enough completed and signed letters of interest,”  the agency will kick off its collaborative project. Participants will be selected on a “first come, first served” basis within each desired category.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.