NIST Wants to Mitigate Smart Home Telehealth Cybersecurity Risks


The agency is looking for providers to help address the cybersecurity and privacy vulnerabilities in the telehealth ecosystem as it works to create a practice guide on the topic.

The COVID-19 pandemic proliferated the use of smart speakers and other internet of things technologies for telehealth purposes, however, using smart speakers to share sensitive personal health information for telehealth purposes could pose a cybersecurity and privacy risk, which the government is trying to address, according to a notice scheduled to be filed in the Federal Register on Monday.

The National Institute of Standards and Technology is looking for comments and products to help it mitigate cybersecurity risks in telehealth smart home integration as part of the National Cybersecurity Center of Excellence project addressing this issue. Consumers are utilizing their own commercial devices and incorporating them into a health delivery organization’s telehealth solution, as a result these organizations may have difficulty identifying and addressing cybersecurity risks because they are not in control of these items.

According to the NCCoE project, “while the user experience may be improved, practitioners may find challenges associated with deploying mitigating controls that limit cybersecurity and privacy risk given that devices may use proprietary or purpose-built operating systems that do not allow engineers to add protective software.”

The NCCoE project aims to build a reference architecture utilizing the NIST Risk Management Framework, NIST Cybersecurity Framework and the NIST Privacy Framework to help find cybersecurity and privacy vulnerabilities and ways to address these issues.

Specifically, the project will build a model mimicking patients using smart speakers for telehealth purposes in order to identify and mitigate the associated cybersecurity and privacy risks. In particular, the project will use commercial technology to model the patient’s telehealth environment and available solutions. 

The project will have the solution used in a “four-domain” ecosystem: a patient’s house, a cloud-hosted service provider, a heath technology integration solution and a healthcare delivery organization. 

NIST seeks sources to enter into a NCCoE Cooperative Research and Development Agreement to support this project. 

NIST is asking for companies that can provide solutions to address the cybersecurity and privacy risks with using smart devices for telehealth purposes. For example, this could include risk assessment; data processing management; disassociated processing; data processing awareness; identity management, authentication and access control; data security; and looking at anomalies and events. 

Responding organizations should agree to provide:

  • Access to component interfaces and experts for participating teams to help connect security and privacy platform pieces.
  • Support for the development and demonstration of the project for the healthcare sector in NCCoE facilities.

The project will culminate in a practice guide to address cybersecurity challenges in this environment.

Responses are due 30 days after its publication in the Federal Register.