8 ways IoT devices could affect cybersecurity and privacy risks
A report from the National Institute of Standards and Technology notes that many healthcare organizations are unaware that Internet of Things devices being used may affect cybersecurity and privacy risks differently than conventional IT devices do. Here are 8 examples that NIST, one of the nation’s oldest physical science laboratories and part of the Department of Commerce, asked for comment from industry stakeholders.
Lack of management features
Administrators may not be able to fully manage an IoT device’s firmware, operating system and applications throughout the IoT device’s lifecycle. Unavailable features may include the ability to acquire, verify the integrity of, install, configure, store, retrieve, execute terminate, remove, replace, update and patch software.
Lack of interfaces
Some IoT devices lack application and/or human user interfaces for device use and management. When such interfaces do exist, they may not provide the functionality usually offered by conventional IT devices. An example is the challenge in notifying users about an IoT device’s processing of their personally identifiable information (PII) so they can provide meaningful consent to this processing. Other issues include lack of universally accepted standards for IoT application interfaces such as expressing and formatting data, issuing commands and fostering interoperability between IoT devices.
Difficulties with management at scale
Most IoT devices do not support standardized mechanisms for centralized management and the sheer number of devices to be managed may be overwhelming.
Wide variety of software to manage
There is extensive variety in the software used by IoT devices, including firmware, standard and real-time operating systems, and applications. This significantly complicates software management throughout the IoT device lifecycle, affecting such areas as configuration and patch management.
Differing lifespan expectations
A manufacturer may intend for a particular IoT device to be used for only a few years than be discarded. An organization buying that device might want to use it for a longer time, but the manufacturer may stop supporting the device, such as not releasing patches for known vulnerabilities either by choice or because of supply chain limitations.
IoT device hardware may not be serviceable, meaning it cannot be repaired, customized or inspected internally.
Lack of inventory capabilities
IoT devices brought into an organization may not be inventoried, registered and otherwise provisioned via the normal IT process. This is especially true for devices that did not previously have networking capabilities.
There is often heterogeneous ownership of IoT devices. A device may transfer data to manufacturer-provided cloud-based service processing and storage because the IoT device lacks these processing and storage capabilities. Data may also be sent to a cloud service to aggregate data from multiple IoT devices in a single location. In some cases, only manufacturers have the authority to do maintenance. An organization attempting to install patches or do other maintenance tasks on an IoT device may void the warranty.