Healthcare is governed by the provisions of HIPAA and HITECH. Both contain specific regulations and\or requirements for the protection of ePHI and other sensitive information. Any process, system or device used to create, transmit or store ePHI is subject to these provisions.
For healthcare organizations and providers MIoT devices represent several cybersecurity and privacy protection challenges. Central to which is that MIoT devices do not behave, operate, or perform in the same manner as traditional1 IT devices. This difference is due to a MIoT device’s core functions Sensing (retrieving and transmitting information about the real world and transmitting it) and Actuating (making changes to the physical world). Some of the differences between MIoT and traditional IT include:
- The ability to configure, update and monitor
- Lack of transparency (black box problem)
- Compatibility with existing Infrastructure
- Information security (CIA)
- Third-party access
The ability to configure, update and monitor means, at a minimum, having access to the MIoT device in order to perform routine and as-needed management functions such as access control (e.g., passwords), software updates (i.e., patch management) and log review. Due to manufacture design and production this level of access may not be available or even possible. It may not even be possible to know, to a reasonable degree of certainty, if the MIoT device is functioning properly or at all.
Lack of transparency (black box problem) is an issue with some MIoT devices due to their design and manufacture. Such devices do not allow insight into their configuration, operational settings or performance/activity logs. Lack of transparency prevents normal or routine cybersecurity and privacy protection oversight, and introduces risk into an IT environment since the state of compliance (with HIPAA/HITECH regulations) is unknowable.
Compatibility with existing Infrastructure may cause concern for established Datacenters and IT networks. Since MIoT devices may operate and function differently than traditional IT devices such difference can result in incompatibility with systems that were not designed for MIoT integration. In turn, MIoT devices may require new management systems for proper operation and oversight with IT Departments finding it necessary to add resources (staff & skills or external services) to manage MIoT deployment within their networks.
Information Security (CIA) is a core tenant of HIPAA. CIA means taking appropriate steps to protect the Confidentiality, Integrity and Availability of protected health information (PHI). If a MIoT device stores data (not all do) it is critical that it be protected—depending on whether or not said information is PHI or CUI2--using cryptography or some other means of data protection. ‘Black-box’ devices or devices without any type of access or insight into their operation or status introduces significant risk in the event of exploit or compromise.
Third-party access is of concern for MIoT devices which permit no end-user access to their configuration settings or operational status (only third-parties). Such “unmanaged” devices may prevent real-time access during operational error or failure with access delayed further if the third-party is unavailable. It may also prevent those responsible from properly gauging network or operational status of a MIoT device when a software or firmware update is required, device End-of-Life (EOL) is reached, or for other routine management and maintenance functions. In addition, a manufacturers Software Bill of Materials (SBOM) may be unavailable to a healthcare provider that is considering using MIoT devices in its clinical setting(s).
 Or “classic” IT devices such as routers, switches, servers, etc…
 Confidential but Unclassified Information (CUI). Reference NIST.SP-800-171 & NIST.SP-800-172.