The National Cybersecurity Center of Excellence (NCCoE) has released for public comment the draft of NIST Cybersecurity White Paper (CSWP) 34, Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration. The comment period for the draft is now open through January 6, 2025.
Consumers now use smart home devices as an interface into the telehealth ecosystem. Smart home devices offer enhanced, multi-sensory user experiences that allow individuals to converse with technology naturally. While the user experience may be improved, practitioners may find challenges associated with deploying mitigating controls that limit cybersecurity and privacy risk given that devices may use proprietary or purpose-built operating systems that do not allow engineers to add protective software.
About the White Paper
Hospital-at-Home (HaH) is a form of telehealth wherein patients receive in-patient care, including clinical care and monitoring, at their place of residence. Healthcare systems have begun incorporating communications interfaces, patient monitors, and other medical devices into the patient’s residence to provide advice and perform clinical care while leveraging the advantages associated with patients receiving treatment in an amenable location. HaH offers several benefits to healthcare delivery organizations (HDOs), including improving patient outcomes, alleviating in-patient bed capacity limits, and providing safety for patients and care team members in infectious scenarios.
While these are desirable benefits, HaH introduces privacy and cybersecurity risks by introducing medical-grade equipment and information systems into environments the hospital does not control. This paper examines risks found in HaH deployments when using smart speakers as a representative IoT device and provides recommended steps to address these risks. This paper also describes applying controls that include access control, authentication, continuous monitoring, data security, governance, and network segmentation.