Ra-9 Nist
Rode Strawther
If there are any discrepancies noted in the content between this NIST SP 800-53 database and the latest published NIST SP 800-53 Revision 5 and NIST SP 800-53B, please contact sec-...@nist.gov and refer to the official published documents as the normative source.
Certain commercial entities, equipment, products, or materials may beidentified by name or company logo or other insignia in order toacknowledge their participation in this collaboration or to describe anexperimental procedure or concept adequately. Such identification is notintended to imply special status or relationship with NIST orrecommendation or endorsement by NIST or NCCoE; neither is it intendedto imply that the entities, equipment, products, or materials arenecessarily the best available for the purpose.
As a private-public partnership, we are always seeking feedback on ourpractice guides. We are particularly interested in seeing how businessesapply NCCoE reference designs in the real world. If you have implementedthe reference design, or have questions about applying it in yourenvironment, please email us at hit_...@nist.gov.
NIST Cybersecurity Practice Guides (Special Publication 1800 series)target specific cybersecurity challenges in the public and privatesectors. They are practical, user-friendly guides that facilitate theadoption of standards-based approaches to cybersecurity. They showmembers of the information security community how to implement examplesolutions that help them align with relevant standards and bestpractices and provide users with the lists of materials, configurationfiles, and other information they need to implement a similar approach.
The documents in this series describe example implementations ofcybersecurity practices that businesses and other organizations mayvoluntarily adopt. These documents do not describe regulations ormandatory practices nor do they carry statutory authority.
Increasingly, healthcare delivery organizations (HDOs) are relying ontelehealth and remote patient monitoring (RPM) capabilities to treatpatients at home. RPM is convenient and cost-effective, and its adoptionrate has increased. However, without adequate privacy and cybersecuritymeasures, unauthorized individuals may expose sensitive data or disruptpatient monitoring services.
This practice guide assumes that the HDO engages with a telehealthplatform provider that is a separate entity from the HDO and patient.The telehealth platform provider manages a distinct infrastructure,applications, and set of services. The telehealth platform providercoordinates with the HDO to provision, configure, and deploy the RPMcomponents to the patient home and assures secure communication betweenthe patient and clinician.
The NCCoE analyzed RPM ecosystem risk factors by applying methodsdescribed in the NIST Risk Management Framework. The NCCoE alsoleveraged the NIST Cybersecurity Framework, NIST Privacy Framework,and other relevant standards to identify measures to safeguard theecosystem. In collaboration with healthcare, technology, and telehealthpartners, the NCCoE built an RPM ecosystem in a laboratory environmentto explore methods to improve the cybersecurity of an RPM.
Technology solutions alone may not be sufficient to maintain privacy andsecurity controls on external environments. This practice guide notesthe application of people, process, and technology as necessary toimplement a holistic risk mitigation strategy.
The Technology Partners/Collaborators who participated in this buildsubmitted their capabilities in response to a notice in the FederalRegister. Respondents with relevant capabilities or productcomponents were invited to sign a Cooperative Research and DevelopmentAgreement (CRADA) with NIST, allowing them to participate in aconsortium to build this example solution. We worked with:
NOTICE: The Information Technology Laboratory (ITL) has requested thatholders of patent claims whose use may be required for compliance withthe guidance or requirements of this publication disclose such patentclaims to ITL. However, holders of patents are not obligated to respondto ITL calls for patents and ITL has not undertaken a patent search inorder to identify which, if any, patents may apply to this publication.
As of the date of publication and following call(s) for theidentification of patent claims whose use may be required for compliancewith the guidance or requirements of this publication, no such patentclaims have been identified to ITL.
This practice guide demonstrates how healthcare delivery organizations(HDOs) can implement cybersecurity and privacy controls to enhance theresiliency of telehealth services. In collaboration with industrypartners, the National Cybersecurity Center of Excellence (NCCoE) at theNational Institute of Standards and Technology (NIST) built a laboratoryenvironment to simulate the telehealth ecosystem and enable remotepatient monitoring (RPM) services for patients.
Implementing an RPM ecosystem involves multiple parties andenvironments. In developing the reference architecture for this practiceguide, the NCCoE considered components that would be deployed in threedistinct domains that encompass the RPM ecosystem: the patient homeenvironment, the telehealth platform provider, and the HDO. The projectteam engaged with a telehealth platform provider that leveraged cloudservices and facilitated audio- and videoconferencing between thepatient home and the HDO. The telehealth platform provider provisionedand managed biometric devices that were deployed in the patient home,and routed data and communication between the patient home and the HDO.
The NCCoE built a laboratory environment to simulate the telehealthecosystem, performed a risk assessment, and developed an exampleimplementation that demonstrates how HDOs can use standards-based,commercially available cybersecurity technologies and collaborate withtelehealth platform providers to assure privacy and security biometricdevices that are deployed to the patient home.
Section 1, Summary, presents: the challenge addressed by the NCCoEproject with an in-depth look at our approach, the architecture, and thesecurity characteristics we used; the solution demonstrated to addressthe challenge; benefits of the solution; and the collaborators whoparticipated in building, demonstrating, and documenting the solution.
Section 2, How to Use This Guide, explainshow business decision makers, program managers, information technology(IT) professionals (e.g., systems administrators), and biometricengineers might use each volume of the guide.
Section 3, Approach, offers a detailed treatment of thescope of the project, the risk assessment that informed platformdevelopment, and the technologies and components that industrycollaborators gave us to enable platform development.
Section 4, Architecture, specifies the componentswithin the RPM ecosystem from business, security, and infrastructureperspectives and details how data and processes flow throughout theecosystem. This section also describes the security capabilities andcontrols referenced in the NIST Cybersecurity Framework through toolsprovided by the project collaborators.
Section 6, Functional Evaluation,summarizes the test sequences employed to demonstrate security platformservices, the NIST Cybersecurity Framework Functions to which each testsequence is relevant, and the NIST Special Publication (SP) 800-53Revision 5 controls demonstrated in the example implementation.
The appendices provide acronym translations, references, a deeper diveinto the threats and risks associated with RPM, the review of the NISTPrivacy Risk Assessment Methodology (PRAM), and a list of additionalinformative security references cited in the framework.
Telehealth RPM solutions deploy components across multipleinfrastructure domains that are maintained uniquely. When HDOs deployRPM solutions, those solutions implement architectures that distributecomponents across the HDO, telehealth platform providers, and patienthomes. Each of these respective environments is managed by differentgroups of people, often with different sets of resources and technicalcapabilities. Risks are distributed across the solution architecture,and the methods by which one may mitigate those risks vary incomplexity. While HDOs do not have the ability to manage and deployprivacy and cybersecurity controls unilaterally, they retain theresponsibility to ensure that appropriate controls and risk mitigationare applied.
Technology solutions alone may not be sufficient to maintain privacy andsecurity controls on external environments. This practice guide notesthe involvement of people, process, and technology as necessary toimplement a holistic risk mitigation strategy. When developing thispractice guide, the NCCoE team applied risk assessment approaches todetermine where risks may occur and used assessment processes toidentify applicable controls.
The NCCoE collaborated with healthcare, technology, and telehealthpartners to build a distributed RPM solution. The RPM solutionimplemented controls that safeguard the HDO environment and documentedapproaches that the telehealth platform provider addresses. Telehealthplatform providers assure that RPM components are isolated within thepatient home environment. The telehealth platform provider assuresend-to-end data security between the patient and the HDO.
This NIST Cybersecurity Practice Guide demonstrates a standards-basedreference design and provides users with the information they need toreplicate an RPM environment. This reference design is modular and canbe deployed in whole or in part.
Technology or security program managers who are concerned with howto identify, understand, assess, and mitigate risk will be interested inthis part of the guide, NIST SP 1800-30B, which describes what we didand why. The following sections will be of particular interest:
You might share the Executive Summary, NIST SP 1800-30A, with yourleadership team members to help them understand the importance ofadopting standards-based commercially available technologies that canhelp secure the RPM ecosystem.
c80f0f1006