More RFID Journal Sites: RFID Journal Espanol RFID Journal Brasil RFID Journal Events RFID Journal Awards
Home / Security and Access Control / RFID Standards / Privacy / Retail / Manufacturing / Health Care
Health Care NEWS
Text size:
T
T
T
NIST Completes RFID Security Guidelines
"At NIST, we don't create regulations or policies," says Karygiannis, "but in the report, we point to the existing regulations that someone at an organization that is charged with writing a privacy policy regarding RFID should consider."
Among the recommended practices for organizations deploying RFID, the paper describes a five-phase life cycle to help determine the most appropriate actions to take at each point in the development of an RFID system. The life cycle is based on a model introduced in NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle. In Phase One, Initiation, it suggests that organizations perform a security and privacy risk assessment and develop policy and requirements with which the RFID system must comply.
In Phase Two, Acquisition/Development, the report says RFID network architects should specify the security requirements with which the RFID system must comply, as well as how the hardware and software to be deployed will support these criteria. In Phase Three, Implementation, it reads, "procured equipment is configured to meet operational and security requirements, RFID data is integrated with legacy enterprise systems, and staff are trained in the proper use and maintenance of the system." For Phase Four, Operations/Maintenance, the organization deploying RFID performs such security-related tasks as periodic security assessments, applying security-related software patches and reviewing RFID event logs. And during Phase Five, Disposition, several security steps are outlined, such as preserving information to meet legal requirements, and disabling or destroying tags and other components when they are taken out of service.
To illustrate how these best practices and five-phase life cycle can be deployed, the report includes two hypothetical case studies—one regarding a personnel- and asset-tracking application in a health-care setting, the other involving the management of hazardous wastes—to illustrate how RFID security might be implemented in practice.
Patrick Sweeney, CEO of RFID systems integration firm ODIN Technologies, says the report shows RFID technology can be deployed securely. "The key take-away is that the security of RFID requires a very specialized level of understanding, expertise and process," he says. Sweeney will appear along with RFID end user Shaw Industries and Robert Cresanti, the DOC's undersecretary of commerce and technology, at next week's RFID Journal LIVE! 2007 conference in Orlando, Fla. In a prepared statement, Cresanti noted that the NIST report "lays the foundation for addressing potential RFID security risks so that a thoughtful enterprise can launch a smart tag program with confidence."
The full NIST report is available for download at http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf.
more Health Care articles
Among the recommended practices for organizations deploying RFID, the paper describes a five-phase life cycle to help determine the most appropriate actions to take at each point in the development of an RFID system. The life cycle is based on a model introduced in NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle. In Phase One, Initiation, it suggests that organizations perform a security and privacy risk assessment and develop policy and requirements with which the RFID system must comply.
In Phase Two, Acquisition/Development, the report says RFID network architects should specify the security requirements with which the RFID system must comply, as well as how the hardware and software to be deployed will support these criteria. In Phase Three, Implementation, it reads, "procured equipment is configured to meet operational and security requirements, RFID data is integrated with legacy enterprise systems, and staff are trained in the proper use and maintenance of the system." For Phase Four, Operations/Maintenance, the organization deploying RFID performs such security-related tasks as periodic security assessments, applying security-related software patches and reviewing RFID event logs. And during Phase Five, Disposition, several security steps are outlined, such as preserving information to meet legal requirements, and disabling or destroying tags and other components when they are taken out of service.
To illustrate how these best practices and five-phase life cycle can be deployed, the report includes two hypothetical case studies—one regarding a personnel- and asset-tracking application in a health-care setting, the other involving the management of hazardous wastes—to illustrate how RFID security might be implemented in practice.
The full NIST report is available for download at http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf.
