A draft report from the National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce, examines cybersecurity vulnerabilities and privacy risks related to the medical devices on the internet of things (IoT).

“Many organizations are not necessarily aware they are using a large number of IoT devices. It is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than conventional IT devices do,” according to the draft report, titled “Considerations for Managing IoT Cybersecurity and Privacy Risks.” (More information on the report is available online at: https://bit.ly/2CMk8l9.)

Many organizations are not aware they are using such a large number of IoT devices, the report says.

“It is important that organizations understand their use of IoT because many IoT devices affect cybersecurity and privacy risks differently than IT devices do,” the draft report says. “Once organizations are aware of their existing IoT usage and possible future usage, they need to understand how the characteristics of IoT affect managing cybersecurity and privacy risks, especially in terms of risk response.”

NIST recommends three risk mitigation goals:

• Protect device security to prevent a device from being used to conduct attacks, eavesdrop on network traffic, or compromise other devices on the same network segment.

• Protect data security by securing the confidentiality, integrity, and/or availability of data collected by, stored on, processed by, or transmitted to or from the IoT device.

• Ensure individuals’ privacy impacted by processing of personally identifiable information beyond risks managed through device and data security protection.

Each of the risk mitigation goals requires addressing a set of risk mitigation areas, the NIST report says.