NIST issues ‘next-generation’ draft guidance for IoT integration

Internet of Things
NIST's latest draft guidance includes IoT controls along with new information privacy considerations.

The National Institute of Standards and Technology (NIST) has issued its fifth revision of security and privacy guidance that includes a new focus on Internet of Things vulnerabilities.

While the nearly 500-page catalog of security controls is intended for a wide range of connected industries, it has implications for the healthcare sector that has been flooded with network-enabled medical devices. A recent poll by Deloitte found more than one-third of professionals in the IoT medical device industry say their organization has experienced a cybersecurity incident. Just 18.6% said their organization is "very prepared" for an attack, while 55% said they are "somewhat prepared."

“We are crafting the next-generation catalog of controls that can also be applied to secure the Internet of Things,” Ron Ross, NIST fellow and team leader of the joint task force that wrote the updated publication, said in an announcement.

RELATED: Connected medical devices put healthcare at risk for sophisticated malware attacks

In May, the organization issued more specific draft guidelines on wireless infusion pumps, after releasing the first-ever cybersecurity measurement guidelines in January.

The Government Accountability Office recently highlighted security as a key challenge facing IoT integration within the healthcare industry, as some have predicted that medical devices are the next big target for hackers. A bill introduced by Sen. Richard Blumenthal, D-Conn., looks to place minimum cybersecurity testing requirements on medical devices, while a separate bipartisan bill would require IoT devices purchased by the federal government to meet minimum security requirements.

The NIST guidance expressed an “urgent need” to strengthen underlying information systems in a world that is increasingly interconnected. The proposed security controls aim to make IT systems more resistant to attacks, limit the damage when a successful attack does occur and ensure those systems are “resilient and survivable.”

The draft guidance, which is open for comments until Sept. 12, also places new emphasis on the overlap of privacy and security, as well as considerations to ensure organizations are meeting privacy requirements that fall outside of the purview of security. The final guidelines will be published no later than Dec. 29.