Date Published: November 6, 2024
Comments Due:
Email Comments to:
Author(s)
Ronald Pulivarti (NIST), Kevin Littlefield (MITRE), Bronwyn Patrick (MITRE), Sue Wang (MITRE), Ryan Williams (MITRE)
Announcement
The National Cybersecurity Center of Excellence (NCCoE) has released for public comment the draft of NIST Cybersecurity White Paper (CSWP) 34, Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration. The comment period for the draft is now open through January 6, 2025.
About the White Paper
Hospital-at-Home (HaH) is a form of telehealth wherein patients receive in-patient care, including clinical care and monitoring, at their place of residence. Healthcare systems have begun incorporating communications interfaces, patient monitors, and other medical devices into the patient’s residence to provide advice and perform clinical care while leveraging the advantages associated with patients receiving treatment in an amenable location. HaH offers several benefits to healthcare delivery organizations (HDOs), including improving patient outcomes, alleviating in-patient bed capacity limits, and providing safety for patients and care team members in infectious scenarios.
While these are desirable benefits, HaH introduces privacy and cybersecurity risks by introducing medical-grade equipment and information systems into environments the hospital does not control. This paper examines risks found in HaH deployments when using smart speakers as a representative IoT device and provides recommended steps to address these risks. This paper also describes applying controls that include access control, authentication, continuous monitoring, data security, governance, and network segmentation.
We Want to Hear from You!
The public comment period for this draft is open until January 6, 2025, at 11:59 P.M. EST. You can view the publication and submit comments by visiting the NCCoE project page. If you have any questions, please email our team at [email protected].
In-patient service demands have increased during a time when patients have experienced reduced access to hospital care. Hospital-at-Home (HaH) solutions provide an in-patient care experience for patients, which may result in reduced costs and improved outcomes. While these are desirable benefits, HaH involves privacy and cybersecurity risk by introducing medical device-grade equipment and information systems into environments the hospital does not control, i.e., the patient’s home. Patient homes may include a growing number of Internet of Things (IoT) devices as part of their “smart home” environment. IoT devices may be used as pivot points into a hospital’s information system environment. IoT devices are a novel set of computing devices that do not allow patients or HaH implementors to provision commonly accepted privacy and security practices. This paper examines privacy and cybersecurity risks found in HaH deployments when using smart speakers as a representative IoT device and provides recommended steps to address those risks. This paper describes applying controls that include access control, authentication, continuous monitoring, data security, governance, and network segmentation.
These practices include steps that the hospital can take to segment HaH equipment and data from other personally owned devices in the patient’s home and implement phishing-resistant authentication. Personally owned devices may be prone to compromise and would affect healthcare systems without appropriate segmentation. Also, voice-enabled technologies may be prone to identity spoofing or permitting unauthorized individuals to access HaH equipment or health information.
In-patient service demands have increased during a time when patients have experienced reduced access to hospital care. Hospital-at-Home (HaH) solutions provide an in-patient care experience for patients, which may result in reduced costs and improved outcomes. While these are desirable benefits,...
See full abstract
In-patient service demands have increased during a time when patients have experienced reduced access to hospital care. Hospital-at-Home (HaH) solutions provide an in-patient care experience for patients, which may result in reduced costs and improved outcomes. While these are desirable benefits, HaH involves privacy and cybersecurity risk by introducing medical device-grade equipment and information systems into environments the hospital does not control, i.e., the patient’s home. Patient homes may include a growing number of Internet of Things (IoT) devices as part of their “smart home” environment. IoT devices may be used as pivot points into a hospital’s information system environment. IoT devices are a novel set of computing devices that do not allow patients or HaH implementors to provision commonly accepted privacy and security practices. This paper examines privacy and cybersecurity risks found in HaH deployments when using smart speakers as a representative IoT device and provides recommended steps to address those risks. This paper describes applying controls that include access control, authentication, continuous monitoring, data security, governance, and network segmentation.
These practices include steps that the hospital can take to segment HaH equipment and data from other personally owned devices in the patient’s home and implement phishing-resistant authentication. Personally owned devices may be prone to compromise and would affect healthcare systems without appropriate segmentation. Also, voice-enabled technologies may be prone to identity spoofing or permitting unauthorized individuals to access HaH equipment or health information.
Hide full abstract
Keywords
Application Programming Interface; API; biometric devices; cybersecurity; data privacy; data privacy and security risks; healthcare delivery organization; HDO; Hospital-at-Home; HaH; Internet of Things; IoT; smart home; telehealth; voice assistant
Control Families
Access Control; Awareness and Training; Configuration Management; Identification and Authentication; Risk Assessment; System and Communications Protection
