NIST issues guidance on securing smart speakers

Smart home devices, such as voice-activated digital assistants, are increasingly used in home health care, with risks involved. An attacker could change a prescription, steal medical data, or connect a patient to an impostor. To reduce cybersecurity risks tied to this use, NIST has released guidelines to help protect patients and providers.

The guidelines examine security and privacy challenges when smart speakers and other IoT devices become part of telehealth setups.

These setups, often called hospital-at-home programs, let patients complete daily check-ins, view results, and interact with clinicians using voice commands and connected medical monitors. Smart speakers link to cloud services to interpret commands. When a patient’s voice is sent for processing, that data travels across networks and could be exposed if protections are weak.

Security risks in connected home health environments

The NIST guidance lays out examples of how patient data and control functions can be threatened in integrated smart home systems. These include:

• Data exfiltration
• Data manipulation
• Denial of service
• Operating system or application disruption
• Unauthorized access

The paper draws on existing NIST security and privacy frameworks, such as the Cybersecurity Framework 2.0 and the Privacy Framework 1.0, to map mitigation suggestions to established practices.

Recommended safeguards for smart home telehealth

The guidance calls for encrypting communications and restricting access to authorized users and devices. A main point is that providers should set up network segmentation between medical or biometric devices and the rest of the home network and health care systems. Network segmentation splits a network into separate sections, often using tools like firewalls, which makes it harder for an attacker to break into one device and then move to others.

Although the guidelines are aimed at technical and information security teams, they also offer useful guidance for patients.

While this project focuses on providing guidance for the safe use of smart home devices, the safeguards are limited to how the devices are used. They don’t extend to device manufacturing, hardware, operating systems, or software development approaches that may support clinical access functionality.

“Certain people might not be able to reach a hospital, but they can talk to their smart speaker,” said Ron Pulivarti, a cybersecurity specialist at NIST’s National Cybersecurity Center of Excellence (NCCoE). “Telehealth patients and their providers exchange confidential information over the network, and we want to show what can go wrong and what we can do to protect them.”