Cybersecurity Awareness Month: Securing Internet-Connected Devices in Healthcare

The healthcare industry is increasingly relying upon internet-connected devices and solutions to improve patient care, organizational efficiency, speed of crisis response, and much more. The emergence of telemedicine, digital health records, internet-connected medical devices, patient wellness apps, and an increasing amount of third parties entering the health supply chain has created many benefits, but has also exposed the industry to vulnerabilities that cyber criminals regularly attempt to exploit.

Last week’s Cybersecurity Awareness Month blog highlighted Julie Haney’s, Ph.D., lead for the NIST Usable Cybersecurity Program, suggestions for users and organizations to protect internet-connected devices for both personal and professional use. Now the third week of Cybersecurity Awareness Month will delve into the industry (hospitals, care facilities) and consumer (telemedicine patients), implications of internet-connected device use, and what steps both can take do their part and #BeCyberSmart.

Job title/background – how did you end up at NIST working on privacy?

I am an IT Security Specialist. I joined NIST in 2012 through a clerical staffing program and was not quite sure where the opportunity would lead my career. With a B.S. in Criminal Justice, I wanted to bridge my education and knowledge of the legal system with a career in technology, policy, and privacy. While working in a lead administrative role at NIST, I attended and completed my M.S in Information Technology/Information Assurance. While in graduate school, I became really interested in data protection, cybersecurity risk management, and how both elements play a critical role in protecting and safeguarding critical infrastructure, individuals’ privacy, and sensitive data. Privacy is important to me because losing control of one’s sensitive personal information can cause devastating consequences, so protecting my privacy is a huge responsibility that I take on every day. In 2018, I started working as an IT Security Specialist in the Privacy Engineering Program, where I support the development of privacy risk management best practices, guidance, and communication efforts. I also perform website development functions for the team. I lead Supply Chain Assurance project efforts at the National Cybersecurity Center of Excellence (NCCoE) and work with teams there on privacy integration and collaboration efforts.

Can you discuss NIST’s work relative to privacy and how it can affect the subject of healthcare?

Within our Privacy Engineering Program (PEP), we research the trustworthiness of cyber technology from a privacy perspective. PEP applies measurement science and system engineering principles to the creation of frameworks, risk models, tools and standards that protect privacy and civil liberties. We have developed resources that organizations can use at all sizes and industries to manage privacy risk management, including NIST Internal Report (NISTIR) 8062, An Introduction to Privacy Engineering Risk Management in Federal Systems, NIST Privacy Risk Assessment Methodology (PRAM) and Security and Privacy Controls for Information Systems and Organizations, Revision 5.

We released the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0 in January of this year. The Privacy Framework is a voluntary tool that can help organizations manage privacy risk associated with their products and services. The Privacy Framework can help organizations to optimize beneficial uses of data while minimizing adverse consequences for individuals, as well as demonstrate their compliance with laws and regulations such as Health Insurance Portability and Accountability Act (HIPAA). As the digital landscape evolves, the healthcare industry is leveraging technology to strengthen and improve communication between patients and their healthcare providers, remote capabilities, and the expansion of the use of telemedicine. With these benefits, there are also privacy and security challenges. To help overcome these challenges, we’re working with the National Cybersecurity Center of Excellence (NCCoE)’s Healthcare team on the project, Securing Telehealth Remote Patient Monitoring (RPM) Ecosystem. This project aims to provide a reference architecture for healthcare organizations that addresses security and privacy concerns of remote patient monitoring capabilities.

What can organizations do in healthcare?

We all think about data breaches in organizations, but organizations should also think about privacy risks that may arise when it comes to digital devices and how sensitive information may be revealed about individuals from those devices if not managed properly. As mentioned earlier, we’re working with NCCoE’s Telehealth team to integrate privacy within their Securing Telehealth Remote Monitoring Patient (RPM) Ecosystem practice guide to provide a reference architecture that will help healthcare organizations address privacy risks as it relates to RPM devices. In some cases, patients are provided one or one biometric devices within the remote patient monitoring ecosystem such as a blood pressure monitor, weight scale, and activity tracker that monitor data, so healthcare providers can assess the physical health condition of the patient between visits with their provider. In the RPM scenario, a patient connects themselves to one or more biometric devices. From a privacy perspective, one or multiple devices that a patient is using can reveal particular health problems and cause unanticipated revelation for patients, which may lead to dignity loss, such as embarrassment or emotional distress, and lead to loss of trust in the HDO or provider, damaging the relationship with a patient, including losing the opportunity to continue providing care.  To stay engaged and up to date on this project, we’d encourage you to visit their website and join their community of interest by e-mailing hit_nccoe [at] nist.gov to be added to the distribution list.

What is your favorite thing about working at NIST?

My favorite thing about working at NIST is the opportunity to work alongside world-class talent and industry experts to tackle and solve the most complex problems in privacy and cybersecurity. Who wouldn’t love to be able to share with their family and friends that they’re a privacy hero, performing world class research? So, roll your sleeves up and come work for NIST’s Privacy Engineering Program (PEP)!