Thomas P. Dover

Thomas P. Dover

How do healthcare organizations (from small Practices to large HDOs) evaluate adherence to the cybersecurity and privacy protection of Medical Internet of Things (MIoT) used in clinical settings? This paper suggests an approach for such evaluation using National Institute of Standards and Technology (NIST) guidance. Through application of NISTIR 8228 Expectations it is possible to quantitatively assess cybersecurity and privacy protection, and determine relative compliance with recommended standards. This approach allows organizations to evaluate the level of risk a MiOT device poses to IT systems and to determine whether or not to permit its use in healthcare/IT environments. This paper reviews the current state of IoT/MiOT cybersecurity and privacy protection using historical and current industry guidance & best-practices; recommendations by federal agencies; NIST publications; and federal law. It then presents similarities and differences between IOT/MiOT devices and "traditional" (or classic) Information Technology (IT) hardware, and cites several challenges IoT/MiOT pose to cybersecurity and privacy protection. Finally, a practical approach to evaluating cybersecurity and privacy protection is offered along with enhancements for validating assessment results. In so doing it will demonstrate general compliance with both NIST guidance and HIPAA/HITECH requirements.

Thomas P. Dover

This paper describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations), SP.800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) and SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information) can be used to evaluate the cybersecurity posture of information systems and supporting frameworks relative to HIPAA and HITECH . It will demonstrate that provisions and baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how these publications align with HIPAA and how this alignment suffices for evaluating IT environment security will be given along with the process and procedure for performing such evaluation. Finally, the benefits of using this approach to support formal risk assessment will be presented.

Thomas P. Dover

With the passage of time and as new types of storage devices are introduced into the marketplace, contemporary devices will slowly lose their compatibility with current operating systems and PC hardware. As a result, such legacy devices will pose an analytical challenge to the field of digital forensics. Dated technology, while still fully functional, is becoming increasingly incompatible with most contemporary computing hardware and software and thus cannot be properly examined in present-day digital forensic environments. This fact will not be lost on those who utilize legacy hardware to commit criminal acts. This paper describes the technical challenge of accessing legacy devices by describing an effort to resuscitate a Bernoulli Drive, a portable storage device manufactured in 1983 by Iomega Corporation. A number of lessons-learned are provided and the implication of legacy devices to digital forensic science is discussed.