NIST Cybersecurity Framework Tackles the IoT

Published On October 01, 2019

If you haven’t checked out the NIST (National Institute of Standards and Technology) Cybersecurity Framework in a while, it might be time to get a refresher on what the agency’s been up to; especially in the face of major changes in healthcare tech.

Healthcare is cementing its relationship with the internet of things (IoT) at a promising time, but there’s a catch.

Also known as the internet of medical things (IoMT), the IoT is redefining the industry. Tracking steps and measuring heart rates is child’s play these days. Now, IoT devices monitor depression systems, manage diabetes, enhance remote monitoring, and can be swallowed to help improve medication adherence. But still, the security question looms large.

The IoT and Healthcare’s Cybersecurity Problem

Healthcare’s cybersecurity problem is only getting bigger and the IoT is adding another layer of complexity.

Ransomware has evolved to a point where simulations are designed to expose physicians to cyberattacks that threaten patients’ lives with the help of a CT scanner, says The Verge. Researchers in Israel created a virus that adds, and even removes, evidence of medical conditions from volumetric (3D) medical scans, as reported by Cornell University. And for the most part, healthcare institutions are sitting ducks.

There are more than 4,000 ransomware attacks every day, and healthcare is the number one target. According to HealthcareITNews, between 2015 and 2016, more than half of hospitals were hit with ransomware attacks, and a significant number of them may not even know anything happened.

So what’s that got to do with the IoT? IoT devices directly impact an organization’s security-risk profile. When connected to networks, they serve as potential entry points for mal-actors. When being used on patients, the risks skyrocket. Perhaps the biggest risk is that many organizations aren’t even aware of how many IoT devices they’re using.

NIST has been sounding the alarm for a while now. Last year, NIST issued a draft report that identifies 17 technical trust-related issues that could negatively impact the adoption of IoT products and services.

Meet the NIST Cybersecurity Framework: IoT Considerations

IoT devices are different, and for security professionals who want to manage their individual risk and their impact on organizational risk management strategy, the NIST IoT considerations will be an indispensable resource. NIST‘s full considerations document is available for download, but let’s take a look at a general overview.

The report examines cybersecurity vulnerabilities and privacy risks, calling out the specialized risk of hospital equipment in the healthcare sector. It also details high-level considerations for cybersecurity managers, comparing IoT devices to conventional IT devices. For example:

• Many IoT devices interact with the physical world in ways conventional IT devices do not.

• Many IoT devices cannot be accessed, managed or monitored in the same ways conventional IT devices can.

• The availability, efficiency and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices than conventional IT devices.

High-Level Risk Mitigation Goals

NIST encourages a perspective on cybersecurity and privacy risks for IoT devices that can be broken down into three levels of risk mitigation goals:

1. Protecting Device Security: Individual devices must be protected and prevented from being used to conduct attacks, eavesdropping on network traffic or compromising other devices within the same network segment.

2. Protecting Data Security: IoT devices must be properly secured to protect the confidentiality, integrity and/or availability of data that it collects, stores, processes or transmits.

3. Protecting the Privacy of Individuals: Individuals’ privacy should be protected beyond risks managed through device and data security protection.

The document also encourages organizations to address cybersecurity and privacy considerations and challenges throughout the IoT life cycle for appropriate risk mitigation goals and areas. NIST recommends the following:

1. Understand IoT device risk considerations and the challenges they present in mitigating cybersecurity and privacy risks.

2. Adjust organizational policies and processes to address cybersecurity and privacy risk mitigation challenges across the IoT device life cycle.

3. Implement updated mitigation practices for your organization’s IoT devices.

You’ll also find a useful section on adjusting organizational policies and processes, as well as implementing updated risk mitigation practices.

Most importantly, keep in mind that a strong risk management posture goes beyond frameworks. Take some time to learn more about the overall state of risk management in healthcare to ensure your organization is prepared for all the emerging cybersecurity challenges it may face.