Skip to main content
Engineering LibreTexts

3.1: Introduction

  1. Last updated
  2. Save as PDF
  • Page ID
    85362

    • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    Author's Note

    On 11/29/2021, NIST published Special Publication (SP) 800-213, IoT Device Cybersecurity for the Federal Government. This publication builds upon and expands considerations for Internet of Things (IoT) security initially published1 in NISTIR publications 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks and 8259A, IoT Device Cybersecurity Capability Core Baseline.

    As stated in SP.800-213/213A Abstract(s):

    This publication contains background and recommendation to help organizations consider how an IoT device they plan to acquire can integrate into a system. IoT devices and their support for security controls are presented in the context of organizational and system risk management2.

    As has been stated throughout this book, specific guidance for conducting and completing a security assessment has been directed at the healthcare sector but the principles and process described within can be equally applied to any sector or industry.

    [1] NISTIR 8259 series published June, 2019.

    [2] NIST-SP. 800-213. [ii]

    According to Cisco Internet Business Solutions Group the ‘Internet of Things’ (IoT) began sometime between 2008 and 2009 when the number of “things or objects” connected to the internet exceeded the number of people connected.

    Published references to the Medical Internet of Things (MIoT) most likely started between 2012 and 2013. In 2012, the Government Accounting Office (GAO) recommended in the August edition of its Highlights report to Congress1 that the FDA should “develop and implement a plan expanding its focus on information security risks.” Indeed, in 20132 the Food and Drug Administration (FDA) issued medical device manufacturers guidance for the cybersecurity of medical IoT devices3 which represented the agency’s “current thinking on this topic.”

    The Healthcare sector has been quick to incorporate MIoT into clinical operations as such use offers greater efficiency, improved operations, cost savings and most importantly, improved patient outcomes. Examples where MIoT are employed include blood pressure and glucose level monitoring, pulse oxymeters, weight/BMI scales, thermometers, spirometers, and EKG monitoring.

    The key to success of MIoT (in fact, all IoT) is internet-connectivity and the ability of MIoT devices to transmit (patient) information.

    In December 2020, President Trump signed into law the IoT Cybersecurity Improvement Act of 2020. This law, in part, directs the National Institute of Standards and Technology (NIST) to take steps for the increased cybersecurity of IoT. In accordance with this law, in late November NIST published Special Publication (SP) 800-213 (IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements). Although written for government agencies the guidance contained in NIST Special Publications can be used by non-government organizations as well and SP.800-213 is no exception.

    Based on NIST guidance, a qualitative framework for assessing IoT (and by extension MIoT) cybersecurity and privacy protection is possible. Using Expectations for MIoT cybersecurity and privacy protection outlined in NIST.IR 8228 (and associated publications4) a set of criteria is used to assess security and compliance, and in turn, evaluate weakness or (data) exposure which a MIoT device may pose to a healthcare organization’s IT environment. Moreover, such evaluation is crucial for complying with HIPAA/HITECH regulations governing the Confidentiality, Integrity and Availability (CIA) of Protected Health Information (PHI).

    How can healthcare organizations (from small Practices to large HDOs5 evaluate adherence to the cybersecurity and privacy protection of MIoT devices used in clinical settings? This discussion suggests an approach for such evaluation which make it possible to quantitatively assess cybersecurity and privacy protection, and determine relative compliance with recommended standards. It further allows organizations to evaluate the level of risk a MIoT device poses to IT systems and to determine whether or not to permit its use in healthcare/IT environments.

    The current state of IoT/MIoT cybersecurity and privacy protection using historical and current industry guidance & best-practices; recommendations by federal agencies; NIST publications; and federal laws are reviewed for similarities and differences which are then incorporated into a Security Assessment.

    Variations in data transmission and storage between IoT/MIoT devices and “traditional” (or classic) Information Technology (IT) hardware are presented along with challenges IoT/MIoT pose to cybersecurity and privacy protection.

    Finally, a process for evaluating cybersecurity and privacy protection via Security Assessment is offered along with enhancements for validating results. Doing so demonstrates general compliance with both NIST guidance and HIPAA/HITECH requirements.

    [1] GAO Highlights, GAO-12-816.

    [2] Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Guidance for Industry and Food and Drug Administration Staff. First draft published June 14, 2013. Food and Drug Administration, et al.

    [3] It should be noted that the FDA issued guidance for “…Software Contained in Medical Devices” in May, 2005, however, this publication pre-dated IoT and concerned itself with embedded software.

    [4] NIST Cybersecurity Framework (CSF), NISTIR 8259 series, SP.800-53r5 (Security and Privacy Controls for Information Systems and Organizations) and SP.800-213/213A (IoT Device Security Guidance for the Federal Government).

    [5] Health Delivery Organization (HDO)

    This page titled 3.1: Introduction is shared under a CC BY-NC 4.0 license and was authored, remixed, and/or curated by Thomas P. Dover.