The National Institute of Standards and Technology (NIST) is collaborating with companies to address the cybersecurity risks consumers face when they leverage smart home technologies for telehealth.
According to a notice posted in the Federal Register today, the National Cybersecurity Center of Excellence (NCCoE) – part of NIST – is launching the “Mitigating Cybersecurity Risk in Telehealth Smart Home Integration” project to better understand the privacy challenges smart devices pose within the telehealth ecosystem.
NCCoE’s project will result in a publicly available NIST Cybersecurity Practice Guide – detailed guidance of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.
“Consumers now use smart home devices as an interface into the telehealth ecosystem,” NCCoE’s project website says. “While the user experience may be improved, practitioners may find challenges associated with deploying mitigating controls that limit cybersecurity and privacy risk given that devices may use proprietary or purpose-built operating systems that do not allow engineers to add protective software.”
NCCoE’s project goal is to identify and mitigate cybersecurity and privacy risks associated with smart device telehealth ecosystems.
Specifically, the agency will build an environment that will model patients’ use of smart speakers in a telehealth ecosystem. The project will use commercial technology to create the patient’s telehealth environment and available solutions.
The project will have the solution used in a “four-domain” ecosystem: a patient’s house, a cloud-hosted service provider, a heath technology integration solution, and a healthcare delivery organization.
NIST is soliciting responses from all sources of relevant security and privacy capabilities to provide products and technical expertise to support and demonstrate security platforms for the project. Examples of the components NIST is seeking are smart devices, cloud environments, and telehealth platforms.
This project will apply concepts established in the NIST Risk Management Framework, NIST Cybersecurity Framework, and the NIST Privacy Framework to identify both cybersecurity and privacy challenges affecting the ecosystem.
According to NIST, the project will result in a publicly available NIST Cybersecurity Practice Guide as a Special Publication 1800-series document that will describe an overview of the ecosystem, practical measures for health delivery organizations that include risk assessment approaches, mitigating control selection, reference architecture, and a detailed description on the lab environment construction.
NIST’s Federal Register post noted that collaborative activities will commence as soon as enough completed and signed letters of interest have been returned to address all the necessary components and capabilities, but no earlier than May 17.