Securing Smart Speakers for Home Health Care: NIST Offers New Guidelines 

Smart speakers are commonly used to answer questions, control thermostats and play music. Now consumers are calling on them for home health care — to talk to a provider, refill a prescription or schedule an appointment. Telehealth can benefit patients, but the threats are numerous as well: An attacker could alter a prescription, steal confidential medical data or connect the patient to an impostor.

To reduce the cybersecurity risks these interactions carry, the National Institute of Standards and Technology (NIST) has released guidelines that can help protect patients and providers alike.

The newly finalized guidelines, Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration, build on NIST’s prior work in telehealth cybersecurity. The publication examines privacy and cybersecurity risks associated with home telehealth, using smart speakers — also called voice-activated digital assistants — as an example of a device that patients at home might use to communicate with providers.

“Certain people might not be able to reach a hospital, but they can talk to their smart speaker,” said Ron Pulivarti, a cybersecurity specialist at NIST’s National Cybersecurity Center of Excellence (NCCoE). “Telehealth patients and their providers exchange confidential information over the network, and we want to show what can go wrong and what we can do to protect them.”

Smart speakers are networked Internet of Things (IoT) devices that respond to voice commands. Generally linked to AI assistant software, they can be combined with hospital-grade medical devices that monitor a patient’s vitals to provide an inpatient care experience at home.

This combination of consumer and hospital-grade devices is a form of telehealth called a hospital-at-home (HaH) program. The patient can use the smart speaker to interact with a health care provider and perform actions such as completing a daily check-in or viewing test results. Once the patient activates the voice assistant to perform an action, a recording of their voice is sent to the voice assistant platform for processing — one point where patient information could be exposed to an attacker.

“HaH programs can benefit a homebound patient, but they have vulnerabilities because of their connection to public computer networks,” Pulivarti said. “Smart speakers may not have capabilities that support recommended privacy and security practices, and they may be used as pivot points for attackers to gain access to a hospital’s system.”

This publication considers telehealth solutions that use voice assistants in the patient’s home as well as all the network devices and systems needed to connect the patient’s home to the hospital health information systems. The publication offers several examples of threat scenarios. Among the potential threats are:

• Data exfiltration: intercepting unencrypted communications from a voice assistant to obtain personal identifiable information (PII) or protected health information.
• Data manipulation: compromising patient data integrity by intercepting and manipulating data.
• Denial of service: disrupting availability and predictability.
• Operating system or application disruption: altering voice commands sent to the health care provider, leading to incorrect processing of patient requests.
• Unauthorized access: compromising patient data by accessing a patient’s voice assistant device through their home network or weak physical authorization controls.

Many of the recommended guidelines for mitigating these threats draw upon several other NIST publications including the NIST Cybersecurity Framework (CSF 2.0), the NIST Privacy Framework (PF 1.0) and the Profile of the IoT Core Baseline for Consumer IoT Products (NISTIR 8425).

The recommendations include enabling encryption of messages and limiting access to authorized individuals and devices. An overarching theme is for providers to ensure what is known as “network segmentation” between medical or biometric devices and other parts of the home and health care systems. Network segmentation divides the network into subsections using hardware such as firewalls, impeding an attacker’s ability to compromise a weak spot and affect other devices.

Although the guidelines are aimed primarily at technical specialists and information security professionals, Pulivarti said that patients also would benefit from knowing about them.

“Patients can turn around and educate their caregivers, who may not have encountered these guidelines,” he said. “By implementing the mitigations we offer here, health care providers can reduce their security and privacy risks while providing valued services to their patients.”