On August 29, the National Cybersecurity Center of Excellence (NCCoE) published a description of its latest project: Mitigating Cybersecurity Risk in Telehealth Smart Home Integration. As consumers increasingly incorporate Internet of Things (IoT) and smart home devices into all aspects of their lives, cybersecurity and data privacy risks increase exponentially. These risks can be especially pronounced in telehealth. The aim of the latest NCCoE project is to arm health care providers with practical tools to securely integrate patients' IoT and smart home devices with their telehealth architecture.
As the cybersecurity collaboration hub for the National Institute of Standards and Technology (NIST), NCCoE focuses on partnership between the federal government, industry organizations, and academia to develop cybersecurity solutions to pressing challenges.
The scope of this project will be limited to providing guidance to health care providers that will identify and mitigate cybersecurity and privacy risks arising from patient use of IoT and smart home devices to interface with health care information systems. Importantly, this guidance will not prescribe hardware or operating systems for functionality, rather it will focus on mitigating risk posed by patient-owned technologies and the evolving use of telehealth.
The NCCoE project will specifically consider three scenarios:
- Patient visitation scheduling
- Patient prescription refill
- Patient regimen check-in
In all three scenarios, the patient interaction will begin with the patient communicating with a smart speaker using vocal commands to interface with the health care provider's information system. For each, the NCCoE will map functions and categories of the NIST cybersecurity framework to sector-specific standards, such as the HIPAA Security Rule, to provide more granular guidance to covered entities and business associates. Upon completion of this project, the NCCoE will provide direction to health care providers to enable the integration of IoT and smart home devices with their telehealth programs.
New technologies bring new opportunities to expand the reach and accessibility of health care. However, those enhanced capabilities also bring novel risks that compel health care providers to continuously re-think their cybersecurity practices. As the NCCoE project progresses, covered entities and business associates should maintain awareness of the latest guidance on integrating IoT and smart home devices with telehealth to ensure compliance with the HIPAA Security Rule.
If you have any questions about this project or the related guidance, please contact Alisa L. Chestler or a member of Baker Donelson's Data Protection, Privacy, and Cybersecurity Group.