- The National Institute of Standards and Technology recently announced it would fund a project to develop guidance around the security and privacy risks associated with remote patient monitoring.
NIST said its team will perform a risk assessment on a representative system, apply the NIST framework and guidance around medical device standards, and collaborate with industry stakeholders. They’re also drafting guidance that would address the steps needed to implement secure tools based on standards and best practices.
In response to its request for information, the American Medical Informatics Association announced its support for the guidelines, foreseeing “a future of care delivery and disease management that will rely heavily on RPM.”
Stressing the need for data coordination across the home and community, AMIA President and CEO Doug Fridsma explained that a public-private collaborative is necessary to recognize the challenges around RPM and organize “data source identification, registration, and production of metadata for the appropriate reuse of such data.”
To start, AMIA stressed that security is not corrupted and ensures the data is only seen by authorized parties. Further, the NIST RPM guidance should work with the mobile infrastructure in place, rather than building a health specific standard.
“The ultimate spread, scale, and usage of these RPM tools will likely depend more on the commercial marketplace than the short and long-term plans of healthcare institutions,” Fridsma wrote. “Further, patients/consumers will use the tools that they are familiar and fits best into their individual ‘workflows.’”
“Securing the existing mobile infrastructure where individuals perform most of their day-to-day living will improve the likelihood that healthcare specific tasks will succeed,” he added.
Among its recommendations is the need to encrypt data that is stored and transmitted. Further, NIST needs to build a process to vet RPM vendors for security flaws. If the request is beyond the scope of the project, Fridsma proposed NIST define the framework that could be used for the vetting process.
The group also proposed the standardization of the data packet structure that could determine whether the data has been altered.
“If a modification can be performed without being detected as a change, clinical action taken could be harmful and if that was the intention of the cybercriminal, patients could be harmed or killed,” Fridsma wrote. “We know many instances where action has been taken based on a computer reading because computer readings are inherently trusted.”
Also notable, AMIA asked for standard unit definitions for reporting, including measurement specificity.
“Data units should have standard descriptions so there is no confusion as to whether ‘meters per second’ is the same as ‘MPS,’” Fridsma explained.
AMIA asked NIST to look to Singapore’s RPM standards for insights on securing the technology. HL7 and IHE are currently working on RPM guidance around FHIR use. An RPM infrastructure supporting data provenance will be crucial to ensuring the data is accurate and unchanged from its origin.
“Securing these systems and ensuring trust in the data generated by these systems is an utmost priority and is at the heart of consumers’ ability to obtain care and manage their health,” Fridsma wrote.
NIST recently finalized its Risk Management Framework, solely focused on privacy and security concerns around IT risk management.