Mitigating Cybersecurity Risk in Telehealth Smart Home Integration

Consumers now use smart home devices as an interface into the telehealth ecosystem. Smart home devices offer enhanced, multi-sensory user experiences that allow individuals to converse with technology naturally. While the user experience may be improved, practitioners may find challenges associated with deploying mitigating controls that limit cybersecurity and privacy risk given that devices may use proprietary or purpose-built operating systems that do not allow engineers to add protective software.
 

Providing HDOs with practical solutions for securing an ecosystem that incorporates consumer-owned smart home devices into an HDO-managed telehealth solution.

Telehealth advances coincide with a proliferation of Internet of Things (IoT) devices, including smart home speakers. Patients may obtain smart home devices that are endpoints that are not managed by a health delivery organization (HDO). The NCCoE Healthcare project team will apply the NIST Cybersecurity Framework, NIST Privacy Framework, and the NIST Risk Management Framework to identify threats and risks to the smart home integrated telehealth ecosystem.
Status: Preparing Draft

The NCCoE Healthcare team has decided to develop a NIST Cybersecurity White Paper (CSWP) for this project. As a result, the NCCoE has decided to not proceed with the Mitigating Cybersecurity Risk in Telehealth Smart Home Integration project as described in the Federal Register Notice on April 17, 2023. 

Overview

The NCCoE is developing a NIST CSWP that will describe a reference architecture for smart home integration with health care systems as part of a telehealth program, leveraging concepts established in previous NCCoE and NIST publications. Telehealth technology and its use has advanced alongside the "Internet of Things (IoT)." IoT adoption brings novel capabilities to consumers in their homes. Healthcare solutions may allow patients to use consumer-grade IoT devices to review their health information and interact with systems operated by an HDO. Individuals may use IoT devices to obtain lab results, schedule visitations with their care team, set reminders for appointments and regimens, or request prescription refills, for example. As patients adopt IoT use when interacting with health systems, technologists may need to apply new approaches in safeguarding systems and environments. IoT devices may require unique approaches to ensure patient data confidentiality, integrity, and availability.

This project's goal is to identify those elements that are unique to using consumer-grade IoT devices with healthcare systems. Telehealth solutions that integrate consumer-owned devices such as smart speakers with HDO-managed health information systems may include atypical threats and vulnerabilities. This project uses established Frameworks such as the NIST Cybersecurity Framework, NIST Privacy Framework, and NIST Risk Management Framework.

This project will result in a publicly available NIST CSWP, which will provide a high-level architecture and authentication approach with clinical information systems.

As patients adopt IoT use when interacting with health systems, technologists may need to apply new approaches in safeguarding systems and environments.

Join the Community of Interest

Employee speaking on video call with colleagues on online briefing with laptop at home

A Community of Interest (COI) is a group of professionals and advisors who share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Share your expertise and consider becoming a member of this project's COI. 

Tell us about yourself

First & Last Name