Internet of Things Introduction

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), develops cybersecurity solutions for different commercially available technology. One example where NCCoE applies standards and best practices is for Internet of Things (IoTs). IoTs are sometimes simply described as smart devices or systems that are connected to the Internet. According to NIST SP 1800-15, Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD), the term IoT is applied to the “aggregate of single-purpose, internet-connected devices” such as sensors, vehicles, thermostats, security monitors, lighting control systems, appliances, and smart televisions.

CMS guidance applies to IoT devices in CMS and CMS partner facilities, as well as external-facing CMS services that may interface with IoT devices of providers, contractors, or beneficiaries.

The NIST Cybersecurity for IoT Program provides guidelines and a framework for manufacturers of IoT devices, Federal Agencies, and consumer products that use MUD specifications. The MUD specifications require IoT devices to perform only their intended function and to include features to allow malicious attacks to be intercepted and mitigated. The MUD specifications and the NIST SP 1800-15 guidelines help ensure the security and integrity of data stored by the IoT devices, and the networks and systems that the IoT devices access. Unfortunately, CMS cannot assume all manufactured IoT devices, especially those already in the field, are compliant with the latest MUD specifications.

Medical devices that are designed to be integrated in the network to support healthcare are sometimes called mIoT devices. Networked medical devices have software that can become vulnerable to cybersecurity threats. These vulnerabilities pose threats to healthcare and require continued maintenance throughout the devices’ lifecycles to protect against malicious acts. Risk management of cybersecurity risks in mIoTs assists in reducing overall risks in healthcare. References include: