3.2: Governance and Oversight

Last updated
Save as PDF

Page ID: 85363

Thomas P. Dover
Butler County Community College

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

MIoT GOVERNANCE & OVERSIGHT
By definition, MIoT devices are IoT devices used for a specialized purpose (healthcare). Specialization notwithstanding, MIoT devices are subject to the same cybersecurity and privacy protection requirements as non-MIoT or IoT devices. According to the Food and Drug Administration (FDA), cybersecurity is a shared responsibility between the FDA and “device manufacturers, hospitals, healthcare providers, patients, security researchers, and other government agencies including the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) and U.S. Department of Commerce.” ¹

U.S. FOOD AND DRUG ADMINISTRATION (FDA)
The Department of Health and Human Services (HHS), Food and Drug Administration (FDA) is responsible for medical device oversight. According to the General Accounting Office (GAO), the FDA is responsible “for ensuring the safety and effectiveness of medical devices in the United States”. ²

In 2012, the GAO recommended in its August Highlights report to Congress that the FDA should “develop and implement a plan expanding its focus on information security risks.”

Pursuant to its responsibility the FDA has published guidance for both Premarket (2014) and Postmarket (2016) management of cybersecurity in MIoT devices.

In 2014, FDA Center for Devices and Radiological Health, released Content of Pre-Market Submissions for the Management of Cybersecurity in Medical Devices (FDA 1825). This publication provides guidance for Industry, and FDA staff. Though ‘Internet of Things’ is not specifically mentioned in the document--understandable given that MIoT devices were in the very early stages of being applied to the Healthcare sector—it nevertheless recommends that “medical device manufacturers address cybersecurity during the design and development of the medical device, as this can result in more robust and efficient mitigation of patient risks”. Cybersecurity areas addressed included identification of threats and vulnerabilities; assessment of the impact of threats on device functionality and end users\patients; assessment of the likelihood of threat\vulnerability occurring; determination of risk levels; and assessment of residual risk and risk acceptance criteria. Moreover, the recommendations specifically cite NIST Cybersecurity Framework categories Identify, Protect, Detect, Respond and Recover.

In 2016, FDA Center for Devices and Radiological Health, released Postmarket Management of Cybersecurity in Medical Devices. Similar to FDA 1825, this publication clarifies postmarket recommendations for manufacturers to follow relative to identifying, monitoring and addressing cybersecurity vulnerabilities and exploits as “part of their postmarket management of medical devices”³.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) GUIDANCE
In 2019, the NIST released Internal Report⁴ (IR) NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.

In 2020, NISTIRs 8259(A)(B)(C)(D) were released as supplementary/complementary Guides for IoT cybersecurity. These publications provided guidance to IoT device manufacturers (8259/8259A); guidance for non-technical support capabilities (8259B); guidance for Core security baselines (8259C); and guidance for creating a Profile for IoT Baselines (8259D) for the federal government.

Pursuant to passage of federal law governing IoT cybersecurity⁵, in December, 2020 NIST published SP.800-213/213A, IoT Device Cybersecurity Guidance for the Federal Government. These publications, updated in November, 2021, expand upon and supersede criteria outlined in the NISTIR series. SP.800 213/213A provides specific IoT cybersecurity requirements and references several NIST Guides which have cross-application to HIPAA and HITECH requirements. Among them: NIST Cybersecurity Framework and SP.800-53r5 (Security & Privacy Control Catalog). Collectively, these Guides provide the basis for a framework which can be used to determine IoT/MIoT compliance with cybersecurity and privacy protection.

SP.800-213A, IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog defines seven (7) distinct security Capabilities for IoT devices:

Identification
Configuration
Protection
Logical Access
Software Update
Cybersecurity State Awareness
Device Security

In turn, each Capability contains one or more sub-Capabilities (e.g., Actions based on Device Identity). For each, sub-Capability there may be one or more Requirements (e.g., Ability to perform actions that can occur based on or using the identity of the device) which satisfy the sub-Capability. Finally, each Requirement may contain one or more sub-Requirements (e.g., Ability to hide IoT device identity from non-authorized entities) which satisfy the Requirement.

In addition to FDA and NIST guidance the private sector has added its perspective to MIoT cybersecurity and privacy protection. In 2018, the Medical Device Innovation Consortium⁶ (MDIC), a non-profit, public-private partnership published Medical Device Cybersecurity Report: Advancing Coordinated Vulnerability Disclosure with the purpose of “coordinated vulnerability disclosure (CVD) policies by medical device manufacturers”.

FEDERAL LAWS AFFECTING MIoT
New laws were enacted in 2020 and 2021 that will have an important impact on MIoT cybersecurity and privacy protection.

On December 4, 2020, the IoT Cybersecurity Improvement Act of 2020⁷ was signed into law by President Donald Trump. This law required, in part, that NIST develop standards and guidelines for the federal government to follow governing IoT devices used or controlled by a government agency. As stated earlier, NIST guidance can be readily adapted by private-sector companies and organizations.

On January 5, 2021, President Trump signed into law an amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH). HR 7898, otherwise known as the HIPAA Safe Harbor provision directs HHS to factor, in part, an organization’s use of industry-standard cybersecurity practices during the previous twelve (12) months when investigating suspected data breaches or other violations. The amendment is meant to encourage healthcare providers and organizations to use NIST best-practices when formulating their cybersecurity and privacy protection strategies.

[1] GAO Highlights, GAO-12-816., 3

[2] GAO Highlights, GAO-12-816., 20

[3] Postmarket Management of Cybersecurity in Medical Devices. Guidance for Industry and Food and Drug Administration Staff. 2016. Food and Drug Administration. Department of Health and Human Services. 18

[4] NISTIR (Internal or Interagency Report). Reports of research findings, including background information for FIPs and SPs. Source: https://csrc.nist.gov/publications/. Retrieved: 03/22/21.

[5] Internet of Things Cybersecurity Act of 2020. Signed into law on December 04, 2020.

[6] https://mdic.org/

[7] H.R. 1668, Public Law 116-207. The IoT Cybersecurity Act of 2020 was first introduced into Congress in 2017.