Network security considerations

Increasing use of IoT infrastructure and devices introduces additional security challenges and introduce an additional set of risks to the confidentiality, integrity, and availability of critical data and systems. The application of effective security of IoT devices is key to protecting sensitive data, maintaining privacy and preventing unauthorised access.

IoT devices can be an entry point into organisation-wide networks. When the devices are not secured, once they are compromised, they can be used by attackers to navigate through the network and infiltrate into other systems. These infected devices can be used to intercept communications, access the network without authorisation to obtain sensitive data, and carry out malicious attacks such as distributed denial-of-service (DDoS) attacks.

NHS organisations should have a robust local Security Policy in place for all communications, networking, and IT equipment that adheres to relevant NHS and government national policies and guidelines.

This section provides a non-exhaustive overview of several NHS England and UK government policies and guidelines that we consider relevant to organisations when deploying IoT solutions.

NHS England:

• Data Security and Protection Toolkit

• Network segmentation - An introduction for health and care organisations

Government:

• Secure by design
• Data protection: The Data Protection Act

• Code of Practice for Consumer IoT Security

National Cyber Security Centre (NSCS):

• Secure design principles
• Cyber Assessment Framework