Evaluating Medical IoT (MIoT) Device Security using NISTIR-8228 Expectations. (arXiv:2104.03283v1 [cs.CR])

How do healthcare organizations (from small Practices to large HDOs) evaluate
adherence to the cybersecurity and privacy protection of Medical Internet of
Things (MIoT) used in clinical settings? This paper suggests an approach for
such evaluation using National Institute of Standards and Technology (NIST)
guidance. Through application of NISTIR 8228 Expectations it is possible to
quantitatively assess cybersecurity and privacy protection, and determine
relative compliance with recommended standards. This approach allows
organizations to evaluate the level of risk a MiOT device poses to IT systems
and to determine whether or not to permit its use in healthcare/IT
environments.

This paper reviews the current state of IoT/MiOT cybersecurity and privacy
protection using historical and current industry guidance & best-practices;
recommendations by federal agencies; NIST publications; and federal law. It
then presents similarities and differences between IOT/MiOT devices and
“traditional” (or classic) Information Technology (IT) hardware, and cites
several challenges IoT/MiOT pose to cybersecurity and privacy protection.

Finally, a practical approach to evaluating cybersecurity and privacy
protection is offered along with enhancements for validating assessment
results. In so doing it will demonstrate general compliance with both NIST
guidance and HIPAA/HITECH requirements.