Securing Devices / Secure Data

Organizations under HHS, specifically the National Institutes of Health (NIH) and the Food and Drug Administration (FDA), have recommended security requirements for the use of IoTs within HHS.

Guidelines for IoT Platforms

IoT platforms are services, typically cloud-based, which connect IoT devices and include functions for device registration, device monitoring and management, and data transfer. IoT platforms often offer services for authentication and remote access control, data storage, and device data backup.

A recent article, Medical Internet of Things and Big Data in Healthcare from NIH discusses implementing IoT platforms. The NIH has observed that various parties, typically IoT device manufacturers, are trying to bundle the data streams of their IoT devices including data related to wearable devices and medical devices. This results in a massive influx of data from the sensors built into these IoT devices that can then be analyzed.

Beyond the NIST Cybersecurity for IoT Program, there are no CMS guidelines specifically for securing IoT platforms. However, any IoT platform that qualifies as a CMS Processing Environment (refer to the definition in TRA Foundation, Processing Environments) must comply with the CMS TRA, ARS, RMH, and all HHS and CMS security and privacy requirements.

Guidelines for IoT Devices

The FDA suggests that IoT device manufacturers should adopt the following practices: secure software or firmware updates by incorporating authentication to update processes, systematically update procedures for authorized users, and have a secure data transfer mechanism to and from the IoT devices.

CMS cannot depend on all IoT manufacturers to adopt these cybersecurity measures; however, for those IoT devices that are CMS managed, as a recommended practice CMS should seek at a minimum Manufacturer User Description IoT devices. Maintaining cybersecurity prevents the device from losing data, malfunctioning, open to security threats and general loss of data. Most importantly, maintaining cybersecurity keeps the patient healthy using a secure device.

CMS-Managed IoT Devices

Guidance for IoT devices managed by CMS or CMS partners should follow guidance as for CMS Managed mobile devices.

Unmanaged IoT Devices

Devices that are not managed by CMS or CMS partners are considered unmanaged and include personally owned IoT devices. Unmanaged IoT devices should follow similar guidance as for unmanaged mobile devices. That is, these devices can access non-public CMS services or networks if and only if a risk assessment has been approved, a waiver has been granted, and the device has been configured and provisioned so that there is an agreement with the owner that CMS has access to the data on the device and can use the data. These devices must have anti-virus and anti-malware software installed.