Blog

In-patient service demands have increased during a time when patients have experienced reduced access to hospital care. Hospital-at-Home (HaH) solutions are a form of telehealth that provide an in-patient care experience in patients’ homes, offering the potential for improved outcomes. While these…
See full abstract

In-patient service demands have increased during a time when patients have experienced reduced access to hospital care. Hospital-at-Home (HaH) solutions are a form of telehealth that provide an in-patient care experience in patients’ homes, offering the potential for improved outcomes. While these are desirable benefits, HaH involves privacy and cybersecurity risks by introducing hospital-grade medical or biometric devices and information systems outside the hospital’s direct control (i.e., the patient’s home). Patient homes increasingly feature Internet of Things (IoT) devices, such as voice assistants (e.g., smart speakers), as part of a broader “smart home” ecosystem. These devices may not have capabilities that support privacy and security practices and may be used as pivot points for attackers to gain access to a hospital’s information system.

This paper introduces a notional high-level smart home integration reference architecture to better understand these risks. Building on NIST’s prior work in telehealth security, it examines privacy and cybersecurity risks associated with HaH deployments in the context of an integrated smart home environment, focusing on voice assistants (e.g., smart speakers) as a representative IoT device and outlines several sample threat events.

To address these risks, this paper leverages the NIST Cybersecurity and Privacy Frameworks and NIST IoT Core Baseline to outline mitigation efforts for healthcare delivery organizations. The recommended mitigations include access control, authentication, continuous monitoring, data security, governance, and network segmentation.

These recommended mitigation efforts adopt NIST frameworks and guidelines. For example, it highlights actions healthcare delivery organizations (HDOs) can take to isolate HaH equipment from other personally owned devices within the patient’s home to safeguard sensitive data. Without such protections, compromised, personally owned devices and voice assistants (e.g., smart speakers) may lead to unauthorized access to healthcare systems and patient information.

Hide full abstract