- SP.800-213A Capabilities, sub-Capabilities, Requirements\sub-Requirements can be used to evaluate MIoT security in alignment with HIPAA\HITECH requirements. At present, there are few assessments designed specifically to evaluate MIoT cybersecurity risk and\or privacy protection to such as extent as outlined in SP.800-213A.
- Use of SP.800-213A Requirements\sub-Requirements can help protect the physical Device; its Data and data Privacy in order to evaluate security and risk1.
- The security assessment approach offered through SP.800-213A is easy to use, flexible, repeatable, and employs current industry Best-Practices and guidance for both MIoT manufacturer and healthcare organization.
- The use of NIST SP.800-213A adheres to the intent of HITECH\HIPAA 'Safe Harbor’ provision which encourages and incentivizes healthcare providers and organizations to use NIST publications and Best-Practice guidance when considering Cybersecurity and Privacy Protection programs.
- Employing NIST SP.800-213A Requirements\sub-Requirements suggest an assessment process and methodology that is adaptable to non-federal sectors, and which can be used for regulatory and\or legal compliance.
Healthcare providers (i.e., Covered Entities) are mandated by HIPAA and HITECH to protect the Confidentiality, Integrity and Availability (CIA) of Electronic Protected Health Information (ePHI). This requirement extends to technology providers and Business Associates (BA) who directly support (healthcare) providers and use MIoT devices to satisfy this purpose.
SP.800-213A can be used to evaluate MIoT device compliance with other cybersecurity best practices relative to Device, Data and Privacy protection. Moreover, SP.800-213A associates its requirements to other NIST publications governing IoT and Cybersecurity including NIST's Cybersecurity Framework and SP.800-53r5 (Security Control Catalog).
Finally, SP.800-213A can be used to create a documented history of compliance. Such history can serve as a guide for healthcare organizations when considering changes to technology and/or network environments.
 Risk mitigation tiers are REDUCE, AVOID, ACCEPT and TRANSFER.