- The National Cybersecurity Center of Excellence at NIST is seeking industry feedback on a draft paper that outlines how to best secure remote monitoring devices and systems for telehealth providers.
As many healthcare delivery organizations further leverage telehealth capabilities like remote patient monitoring and videoconferencing to treat patient in their homes, it’s important the infrastructure supporting these tools can protect patient data and privacy.
Initially, remote patient monitoring was used in the healthcare setting, a controlled environment. As these tools have moved outside the hospital setting, the risks of using those tools has increased.
NCCoE is planning to use the draft paper to create a reference architecture to address those risks and support those providers.
“The goal of this project is to provide a practical solution for securing the telehealth RPM ecosystem,” the report authors wrote. “The project team will also create a reference design and a detailed description of the practical steps needed to implement a secure solution based on standards and best practices.”
“The project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners,” they added.
Specifically, the researchers will be assessing RPM equipment deployed in a patient’s home, such as tools for monitoring blood pressure, heart rate and BMI weight measurements, and the like.
Data from those devices are then transmitted from the patient’s home network and routed across public internet, which may also be transmitted to a third-party vendor. Researchers will analyze connectivity between those devices and apps and the ability for those apps to transmit data to the provider. They’ll also determine whether a patient initiate care at the point of contact and the ability of a provider to monitor and analyze data to spot trends.
Further, those researchers will also look at the device infrastructure of RPMs that use third-party vendor platforms, analyzing both the patient and healthcare organization environments. As the project progresses, the researchers hope to identify identity and access management controls and the limitations.
“This project will address cybersecurity concerns about having monitoring devices in patients’ homes,” the report authors wrote. “This project will also identify cybersecurity measures that [providers] may consider when offering RPM with video telehealth capabilities.”
“This project does not evaluate monitoring devices for vulnerabilities, flaws, or defects. The intent of this project is to provide practical guidance for the security control,” they added.