The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NIST Releases New Guidance on Securing IoT Devices

Posted By on Aug 7, 2019

The National Institute of Standards and Technology (NIST) has released a new guide for manufacturers of Internet of Things (IoT) devices to help them incorporate appropriate cybersecurity controls to ensure the devices are protected against threats when users connect them to the Internet.

The guide is the second in a series of publications on the security of IoT devices. The first document outlined the risks posed by IoT devices. The latest guide – Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers – is intended to help manufacturers incorporate core cybersecurity features into their IoT devices to reduce the prevalence and severity of IoT device compromises.  

The draft document defines a core baseline of cybersecurity features which should be incorporated into all IoT devices, along with additional features that should be considered to provide a level of protection over and above the baseline that is appropriate for most customers.

The manufacturers of IoT devices have a responsibility to ensure that their devices have at least a basic level of security and for software updates to be released to address vulnerabilities discovered during the lifespan of the products. It is also the responsibility of users of IoT devices to make sure those security controls are activated and software updates are downloaded and applied promptly.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The guidance is aimed at a technical audience, although it is hoped that it will be used by consumers as well as IoT device manufacturers. It includes six security recommendations for IoT device manufacturers to incorporate into their devices. Those recommendations can also be used as a checklist for organizations to make sure a device can be secured before a purchase is made.

Those features are:

  • A device identification feature to allow an individual device to be identified or for a unique address to be used to connect to the network
  • The ability for an authenticated user to perform a software or firmware upgrade
  • A clear demonstration of how the device stores and transmits data
  • The ability to limit access to local and network interfaces
  • A secure and configurable method for updating software and firmware
  • A log feature that records all cybersecurity events

IoT devices connect to and are visible on network, yet they may not have an interface through which security settings can be applied and software updated. If appropriate security controls are not incorporated by manufacturers and activated by users, the devices will remain a security risk and vulnerabilities could be exploited by unauthorized individual to gain access to home and business networks

NIST is accepting comments on the draft guidance until September 30, 2019.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist