NIST Issues Final Guidance on RPM, Telehealth Security

February 24, 2022 - The National Cybersecurity Center of Excellence (NCCoE), which is part of the National Institute of Standards and Technology (NIST), released final guidance on remote patient monitoring (RPM) and telehealth security.

NCCoE is part of the Applied Cybersecurity Division of NIST’s Information Technology Laboratory and regularly releases guides, and best practices focused on cybersecurity. The center’s goal is to help organizations secure their data by providing practical cybersecurity best practices and guidance, its website states.

Although telehealth technology is not new, COVID-19 pushed many healthcare organizations toward telehealth and RPM solutions. As adoption increased, the likelihood of cyberattacks targeted at telehealth and RPM services also rose. Healthcare organizations must consider security and privacy risks to protect sensitive data.

“Telehealth RPM solutions deploy components across multiple infrastructure domains that are maintained uniquely. When [healthcare organizations] deploy RPM solutions, those solutions implement architectures that distribute components across the [healthcare organization], telehealth platform providers, and patient homes,” the publication stated.

“Each of these respective environments is managed by different groups of people, often with different sets of resources and technical capabilities. Risks are distributed across the solution architecture, and the methods by which one may mitigate those risks vary in complexity. While [healthcare organizations] do not have the ability to manage and deploy privacy and cybersecurity controls unilaterally, they retain the responsibility to ensure that appropriate controls and risk mitigation are applied.”

NCCoE emphasized that technology solutions alone are not enough to protect against cyber threats. Focusing on people, process, and technology is crucial to maintaining telehealth and RPM security.

The RPM ecosystem consists of the telehealth platform provider, the healthcare organization, and the patient’s home environment. All these points must be accounted for in order to maintain security.

The publication is aimed at healthcare professionals who are implementing RPM ecosystems using third-party telehealth platform providers. Since the telehealth platform provider manages devices and collects biometric data, the guide stressed the criticality of third-party risk assessments and proper security controls.

NCCoE also recommended that these data security controls align with the NIST Cybersecurity Framework and the NIST Privacy Framework.

“If you're in a hospital, all the technology that is used to monitor you and take care of you is all within the confines of the hospital's firewall. It's a tightly controlled technology IT environment, and all the equipment inside can be very tightly secured,” Milan Shah, CTO of Biofourmis, said in a previous interview with HealthITSecurity.

“The minute you take some part of that technology and send it home with the patient, suddenly you have to open up holes in your defense system so that the technology from the home can send data to the central systems where the clinicians can actually provide the care.”

A survey conducted by Arlington Research and commissioned by Kaspersky found that over 80 percent of surveyed healthcare providers globally harbor concerns about data security and privacy.

More than 50 percent of provider respondents reported having cases where patients refused to participate in telehealth services because they did not trust that the technology would protect their privacy and security.

In addition, 70 percent of respondents said their practice relied on legacy operating systems, exposing them to security vulnerabilities.

Despite these concerns, respondents largely agreed that telehealth would add the most value to the healthcare sector in the next five years compared to any other technology.