NIST Issues Guidelines to Secure Smart Speakers in Home Telehealth

USA: NIST Issues Guidelines to Secure Smart Speakers in Home Telehealth

A new set of guidelines released by the U.S. National Institute of Standards and Technology on December 17, 2025 seeks to reduce cybersecurity and privacy risks associated with the use of smart speakers for home health care. The document, titled *Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration*, was finalized a day later and targets both technical specialists and health‑care providers across the United States.

Telehealth and Smart Speakers

Smart speakers—voice‑activated digital assistants that connect to the Internet of Things—are increasingly employed to enable patients to speak with clinicians, refill prescriptions, or schedule appointments without leaving home. While this capability expands access for individuals who cannot easily reach a hospital, it also introduces vectors for data exfiltration, manipulation, and unauthorized access.

Identified Threat Scenarios

The NIST publication outlines several plausible attack paths, including interception of unencrypted voice‑assistant communications that could expose personally identifiable information or protected health information, alteration of transmitted data that might compromise patient records, denial‑of‑service events that disrupt service continuity, and the use of compromised speakers as pivot points to infiltrate broader hospital networks.

Mitigation Strategies

To address these risks, the guidelines recommend enabling end‑to‑end encryption for all voice‑assistant traffic, restricting device access to authorized users, and implementing network segmentation that isolates medical or biometric devices from general‑purpose home networks. The recommendations draw on existing NIST resources such as the Cybersecurity Framework (CSF 2.0), the Privacy Framework (PF 1.0), and the IoT Core Baseline for Consumer IoT Products (NISTIR 8425).

Expert Insight

“Certain people might not be able to reach a hospital, but they can talk to their smart speaker,” said Ron Pulivarti, a cybersecurity specialist at NIST’s National Cybersecurity Center of Excellence. “Telehealth patients and their providers exchange confidential information over the network, and we want to show what can go wrong and what we can do to protect them.” Pulivarti added that smart speakers often lack built‑in security controls, making them attractive pivot points for attackers seeking to breach hospital systems.

Implications for Providers and Patients

Although the guidance is primarily aimed at information‑security professionals, NIST emphasizes that patients can also benefit by understanding basic security practices and encouraging caregivers to adopt the recommended mitigations. By applying the outlined safeguards, health‑care organizations can lower the likelihood of data breaches while continuing to offer valuable remote services.

This report is based on information from NIST, licensed under Public Domain (U.S. Government Work). Source: Official U.S. Government release.