Evaluating Medical IoT (MIoT) Device Security using NISTIR-8228 Expectations

How do healthcare organizations (from small Practices to large HDOs) evaluate adherence to the cybersecurity and privacy protection of Medical Internet of Things (MIoT) used in clinical settings? This paper suggests an approach for such evaluation using National Institute of Standards and Technology (NIST) guidance. Through application of NISTIR 8228 Expectations it is possible to quantitatively assess cybersecurity and privacy protection, and determine relative compliance with recommended standards. This approach allows organizations to evaluate the level of risk a MiOT device poses to IT systems and to determine whether or not to permit its use in healthcare/IT environments. This paper reviews the current state of IoT/MiOT cybersecurity and privacy protection using historical and current industry guidance & best-practices; recommendations by federal agencies; NIST publications; and federal law. It then presents similarities and differences between IOT/MiOT devices and "traditional" (or classic) Information Technology (IT) hardware, and cites several challenges IoT/MiOT pose to cybersecurity and privacy protection. Finally, a practical approach to evaluating cybersecurity and privacy protection is offered along with enhancements for validating assessment results. In so doing it will demonstrate general compliance with both NIST guidance and HIPAA/HITECH requirements.