1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

NIST Plans To Examine Internet of Things (IoT) For Its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) is holding a Cybersecurity Framework Workshop this week at its headquarters in Gaithersburg, Maryland. The purpose of the workshop is to discuss issues related to its widely used Cybersecurity Framework. Sessions at the workshop are being livestreamed, and are exploring the extraterritorial application of the NIST framework, sector-specific requirements, and uses for small businesses.

One closely watched workshop being held today is entitled “Cyber Meets the Physical World,” and is intended to examine how the NIST framework can be applied to the Internet of Things (IoT) sector:

The diverse use and rapid proliferation of connected devices – typically captured by the “Internet of Things (IoT)” – creates enormous value for industry, consumers, and broader society. At the same time, emerging threats, such as last year’s Mirai DDoS attacks, highlight the critical need to develop and apply guidance to maintain the cybersecurity of devices and the ecosystems into which they are deployed. NIST is seeking feedback on how the Framework may be applied to the IoT, both in terms of the devices themselves, as well as their integration into broader enterprise and network environments. Topics in this breakout may include: existing IoT definitions and taxonomies and their consistency with the Framework; IoT specific threats and constraints; sector-specific considerations for IoT security; and the integration of IoT – specific threats into the Framework model.

NIST’s focus on IoT at its workshop this week comes on the heels of its new draft NIST cybersecurity guidance on securing wireless infusion pumps in the healthcare industry. NIST is accepting public comment on the new draft guidance through July 7, 2017.

NIST’s focus on the IoT sector also comes as the IoT sector is coming under greater regulatory scrutiny in the US. In 2015, the US Federal Trade Commission (FTC) issued guidance encouraging certain best practices in the IoT sector. In January 2017, the FTC brought its first enforcement action against a computer networking equipment manufacturer for failing to undertake what the FTC considers reasonable steps needed to secure wireless routers or IP cameras from “widely known and reasonably foreseeable” risks of unauthorized access by failing to proactively address “well-known and easily preventable security flaws.” And in California, a new bill is being considered by the California legislature (Cal. Senate Bill 327) that would impact the manufacturers and sellers of IoT connected devices by requiring them to:

  • Equip the device with reasonable security features appropriate to the nature of the device and the information it collects, contains or transmits;
  • Design the device to indicate to the consumer when it is collecting information;
  • Obtain consumer consent before the device collects or transmits information;
  • Provide an explicit privacy notification to the consumer about what data is collected by the device; and
  • Directly notifies consumers of security patches and updates intended to make the device more secure on an ongoing basis.

If you or your business is engaged in the IoT space, the Dentons Privacy and Cybersecurity Group can help you navigate the growing regulatory environment and understand and implement the new NIST framework standards, as they are developed and adopted. We will also continue to monitor the NIST / IoT developments and report any further developments coming out of the NIST conference this week.

NIST Plans To Examine Internet of Things (IoT) For Its Cybersecurity Framework

HHS Plans To Launch Cybersecurity Center Focused On Medical App Security

The US Department of Health and Human Services (HHS) announced on April 20 that it plans to launch a cybersecurity initiative modeled on the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that will be aimed at educating healthcare organizations and consumers about the risks of using mobile applications and data. The new center, which will be called the Health Cybersecurity and Communications Integration Center (HCCIC), is intended to be a collaborative effort between public and privacy industry. A similar cybersecurity initiative is being developed by the Centers for Medicare & Medicaid Services (CMS).

Chris Wlaschin, the chief information security officer for HHS, says this type of collaborative center is needed because approximately 50% of US healthcare organizations lack the adequate tools to deter and manage cyber breaches. As mobile health applications become more prevelant, the HHS sees the HCCIC as an opportunity to help developers secure patient data.

The new HHS center represents a continual effort by the federal government to address healthcare app cybersecurity. In December 2016, the FDA released guidance on “Mobile Medical Applications.” The HHS Office of Civil Rights and Federal Trade Commission  have also launched online resources for medical app cybersecurity. And HHS’s Health Care Industry Cybersecurity Task Force recently submitted a draft report to Congress that laid out six “imperatives” for lawmakers and executive branch officials to consider when seeking to secure patient data, including security surrounding applications.

If you or your company is developing, or has implemented a medical app, the Dentons Privacy and Cybersecurity Group can help you navigate this constantly developing federal landscape. We will also provide further updates as the HCCIC becomes operational this summer.

HHS Plans To Launch Cybersecurity Center Focused On Medical App Security

NIST Releases Draft Guidance On Securing Wireless Infusion Pumps In The Healthcare Industry

On May 8, 2017, the National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), released a new draft NIST Cybersecurity Practice Guide (SP 1800-8) entitled “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.” The purpose of the new guidance is to address the security flaws in external infusion pumps in the healthcare industry, and provide engineers and IT professionals a roadmap for how they can securely configure and deploy wireless infusion pumps by using “standards-based commercially available technologies and industry best practices[.]” NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sector, and are intended to serve as practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They do not describe regulations or mandatory practices. Nor do they carry statutory authority. NIST is accepting public comment on the new draft guidance through July 7, 2017.

Overview Of Draft Guidance

Infusion pumps are defined by the FDA as a medical device that delivers fluid into a patient’s body in a controlled manner. Once standalone instruments that interacted with the patient or medical provider only, infusion pumps are now connected to a variety of systems and networks, contributing to what NIST calls the Internet of Medical Things (IoMT). This new connectivity brings with it benefits and challenges. Although connecting fusion pumps to point-of-care medication systems and electronic health records can improve the healthcare delivery process, it can also create significant cybersecurity risk that could lead to operational or safety risks. Specifically, tampering with the wireless infusion pump ecosystem can expose a healthcare provider to:

  1. Access by malicious actors;
  2. Loss or corruption of enterprise information and patient data and health records;
  3. A breach of protected health information;
  4. Loss or disruption of healthcare services; or
  5. Damage to an organization’s reputation, productivity, and bottom-line revenue.

Key Takeaways From New Draft Guidance

The new guidance is written from a how-to perspective, providing details on how to install, configure and integrate components. It is therefore primarily intended for professionals implementing security solutions within a healthcare organization, such as biomedical, networking and cybersecurity engineers and IT professionals who are responsible for securing and configuring wireless infusion pumps. The new guidance maps out the security characteristics of wireless infusion pump ecosystems to currently available cybersecurity standards and the HIPAA Security Rule, and applies “security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors.”

NIST claims organizations will, if they adopt the new guidance:

  • Reduce cybersecurity risk, and potentially reduce impact to safety and operational risk, such as the loss of patient information or interference with the standard operation of a medical device;
  • Develop and execute a defense-in-depth strategy that protects the enterprise with layers of security to avoid a single point of failure and provides strong support for availability; and
  • Implement current cybersecurity standards and best practices, while maintaining the performance and usability of wireless infusion pumps.

A copy of the draft guidance is here. If you or your business are interested in submitting public comments in response to the new draft guidance, the Dentons Privacy and Cybersecurity Group can help. We are also prepared to assist your organization in navigating the new draft guidance and securing your networked devices against the constantly evolving threat landscape.

 

NIST Releases Draft Guidance On Securing Wireless Infusion Pumps In The Healthcare Industry

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

On March 22, 2017, the FBI issued a Private Industry Notification, warning that criminal actors are actively targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode and associated with medical and dental facilities to “access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.” FTP’s are used to transfer information between various parties. When an FTP is placed in anonymous mode, it allows a user to authenticate the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address.

The FBI warns that cyber criminals could use an FTP server in anonymous mode to store malicious tools or launch targeted cyber attacks. Therefore, “any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identify theft, or financial fraud.”

The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.

The FBI encourages businesses to report information concerning suspicious or criminal activity to their local FBI office or the FBI’s 24/7 Cyber Watch.

A copy of the notification can be found here.

 

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

New Mexico Becomes 48th State To Enact Data Breach Notification Law

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the only two states without such a law. The New Mexico law goes into effect June 16, 2017.

Who Is Covered? Defining “Personal Identifying Information”

The new law applies to any “person that owns or licenses elements that include personal identifying information of a New Mexico resident[.]” The definition of “personal identifying information” largely tracks the definitions adopted by sister states, and includes an individual’s first name or first initial and last name in combination with one or more of the following data elements, when such data elements “are not protected through encryption or redaction or otherwise rendered unreadable or unusable:”

  • social security number;
  • driver’s license number;
  • government-issued identification number;
  • account number, credit card number or debit card number in combination with any required security code, access code or password that would permit access to a person’s financial account; or
  • biometric data.

Biometric data is defined under the new law to mean a record generated by automatic measurements of an identified individual’s fingerprints, voice print, iris or retina patterns, facial characteristics or hand geometry that is used to “uniquely and durably authenticate an individual’s identity when the individual accesses a physical location, device, system or account[.]” “[E]ncrypted” is defined under the new statute to mean “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security[.]” And “personal identifying information” does not mean information that is “lawfully obtained from publicly available sources or from federal, state or local government records lawfully made available to the general public[.]”

When Is Notification Required?

Defining “Security Breach”

Notification is required under the new law when the “personal identifying information” of a “New Mexico resident” is “reasonably believed to have been subject to a security breach.” The phrase “security breach” is defined under the statute to mean the “unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person.” The phrase “security breach” does not include the good-faith acquisition of personal identifying information by an employee or agent of a person for a “legitimate business purpose of the person[,]” so long as the personal identifying information is not subject to further unauthorized disclosure.

45 Day Window

Notice under the new law must be made “in the most expedient time possible, but no later” than 45 calendar days “following discovery of the security breach[.]” Notification may be delayed, however, if a law enforcement agency determines that the notification will impede a criminal investigation, or “as necessary to determine the scope of the security breach and restore the integrity, security and confidentiality of the data system.”

Investigation Defense / Risk Of Harm

Notification is not required if “after an appropriate investigation, the person determines that the security breach does not give rise to a significant risk of identity theft or fraud.”

What Is Required In The Notice?

If notice is required, the new law provides specific content requirements, including:

  • The name and contact information of the notifying person;
  • A list of the types of personal identifying information that are reasonably believed to have been the subject of a security breach, if known;
  • The date of the security breach, the estimated date of the breach or the range of dates within which the security breach occurred, if known;
  • A general description of the security breach incident;
  • The toll-free telephone numbers and addresses of the major consumer reporting agencies;
  • Advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach; and
  • Advice that informs the recipient of the notification of the recipient’s rights pursuant to the federal Fair Credit Reporting Act.

Are There Exemptions?

Yes. The new law does not apply to covered persons subject to the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act of 1996.

Do The Attorney General And Credit Reporting Agencies Require Notification?

Yes. If notice goes out to more than 1,000 New Mexico residents “as a result of a single security breach” the covered person must “notify the office of the attorney general and major consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p)[.]” Such notice must be made “in the most expedient time possible,” but no later than the same time that notice goes out to the impacted resident – 45 calendar days. Such notice must “notify the attorney general of the number of New Mexico residents that received notification” and “shall provide a copy of the notification that was sent to affected residents within” 45 calendar days “following discovery of the security breach[.]”

Is There A Private Right Of Action?

No. The new law only allows for an enforcement action brought by the attorney general. And in such cases, the attorney general may seek injunctive or compensatory relief. If the court determines the person violated the new law “knowingly or recklessly,” the court may also impose a civil penalty of the greater of $25,000 or, in the case of failed notification, $10.00 per instance of failed notification up to a maximum of $150,000.

5 Takeaways

  1. Encryption is key. The new law contains a safe harbor provision for encrypted data, so long as the encryption key is not compromised. The new law does not describe the specific encryption method required, as opposed to Tennessee’s new revisions.
  2. Investigation is key. Conducting an adequate and thorough investigation at the outset of a breach is critical under the new law. Conducting such an investigation will provide for extra time to complete notification, if required. It will also allow for non-notice if the investigation determines the security breach “does not give rise to a significant risk of identity theft or fraud.”
  3. Consider involving law enforcement. It may seem counterintuitive, but involving law enforcement early in a data breach case may provide extra time on notification. The federal government, and particularly the FBI and DHS, also actively encourage private business to reach out in the case of a data breach. In the case of 1,000 impacted New Mexico residents, however, notice to the New Mexico attorney general is required.
  4. Time is of the essence. The new law provides a 45 calendar day window to effectuate notice to both residents and law enforcement, when required. That means investigations need to be undertaken immediately, and without delay.

The Dentons Privacy and Cybersecurity Group is prepared to help you and your business navigate this new law, address your encryption issues, and help conduct the required investigations necessary once breach occurs.

New Mexico Becomes 48th State To Enact Data Breach Notification Law