NIST and Telehealth: Securing the Remote Patient Monitoring Ecosystem

We are living in an exhilarating time in the world of healthcare. A common theme among many healthcare related stories and articles we come across today is that things which were once thought to be a matter of science fiction are now moving closer to becoming a reality.

A Feb 27, 2019, article from Forbes Magazine, entitled, “Telemedicine: The Latest Futuristic Tech Prediction from The Jetsons To Come True” [1], brought up a cartoon show from 1962, “The Jetsons,” in which depicted patients video conferencing physicians for diagnosis and treatment as being something commonplace.

Interestingly, in a later episode of the same television program (originally aired one season from 1962-1963) the cartoon’s protagonist, George Jetson, goes to his doctor for a physical and receives a “Peek-A-Boo Prober Capsule” to swallow. Once swallowed, the Peek-A-Boo Prober Capsule traveled throughout George’s body allowing his doctor to visually monitor and assess the health of George’s vital organs. (Source: Smithsonian Magazine)

Fast forward to 2019

Today we find telemedicine still includes remote patient consultation via video conferencing, interactive voice response (IVR), tablets, and smartphones; however, modern advances in telemedicine (and the broader field of telehealth) include far more than remote conferencing capabilities. Peek-A-Boo Prober Capsules notwithstanding, advancing information and communication technology (ICT), is allowing healthcare professionals to monitor patients remotely using a variety of non-invasive digital technologies. (Source: National Center for Biotechnical Information)

Stepping back for a moment to consider a couple of definitions, we find the terms telemedicine and telehealth are often used interchangeably. However, the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration.”(Source: HealthIT.gov Telemedicine or “healing at a distance” generally refers to the use of information and communications technologies to assess, diagnose and treat patients at a distance.  Remote Patient Monitoring (RPM) is rapidly moving to the forefront of concerns about telemedicine and telehealth because of the increasing adoption of RPM as a means enabling direct clinical interaction with patients from inside of their home, rather than inside of a medical facility.  (Source: National Center for Biotechnical Information)

On November 20, 2018, The National Cybersecurity Center of Excellence (NCCoE) at NIST released a draft project description, “Securing Telehealth Remote Patient Monitoring Ecosystem: Cybersecurity for the Healthcare Sector.” (Source: NCCoE/NIST) The outcome of this project will be to “provide a reference architecture that will address the security and privacy risks for healthcare delivery organizations (HDOs) leveraging telehealth and remote patient monitoring (RPM) capabilities.” (Source: NCCoE/NIST)

The draft document goes on to explain “The project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners.” (Source: NCCoE/NIST)  The project will result in a NIST Cybersecurity Practice Guide (SP 1800 series), detailing the steps required to implement the NIST CSF to secure an ever-evolving RPM ecosystem.

While the period for public comment closed on December 21, 2018, it is beneficial to review the draft project description, if one hasn’t already, to consider the various elements of the NIST Cybersecurity Framework as they may be applied to the privacy and security of RPM systems in anticipation of the final SP 1800 series document from NIST.

The driving force behind the project is that, until recently, interactive patient monitoring systems (interactive, meaning the ability to send and receive data in real time) have typically been deployed in the controlled environment of a medical facility, even in the case of mobile medical units. Today, however, advances in networking technology, cloud computing, wireless infrastructure, and medical device capabilities have led to the emergence of an RPM ecosystem. This RPM ecosystem was represented at a high level in the NCCoE draft document.

NCCoE NIST Telehealth Platform

Image Source: “Securing Telehealth Remote Patient Monitoring Ecosystem: Cybersecurity for the Healthcare Sector.”

While the heart of the interaction is to enable a healthcare provider to monitor a patient’s health status, behavior telehealth necessitates the introduction of an array of disparate components to carry out this interaction remotely. An overview of the various components involved in the telehealth RPM ecosystem include, but are not limited to, the following:

Care Provider’s Clinical and Information Systems

The paramount result is for clinicians to receive timely and reliable patient data which can be used to make accurate and efficient clinical decisions. Therefore, at the care provider’s end, there will ultimately be some device that receives and interprets or assists in the interpretation of patient data, meaning there will be issues of privacy and security surrounding this endpoint device or devices. Furthermore, these clinical systems will be connected to the healthcare systems network which will involve routers, switches, firewalls, Ethernet and Wi-Fi, VPN, and most likely, depending on the size of the organization, a data center or multiple data centers, with physical and virtual servers, storage systems, and a host of other applications and appliances related to information technology and information security management.

Vendor Information Systems

Depending upon the size and role of vendor or vendors involved in the care provider’s telehealth and RPM solution there will be many of the same, if not all, of the components involved as the care provider’s clinical and information systems with additional concerns about the vendor-supplied telehealth and remote monitoring technology.

Telehealth and Remote Patient Monitoring Technology

The telehealth platform is the solution which enables data communications to flow from the monitoring equipment in the patient’s home to the monitoring equipment in the clinician’s office. This platform will be comprised of internet and cloud-based audio, video and data communications, telemetry data transmission protocols, video and audio conferencing systems, secure email and secure text messaging systems, and various networking integration and internetworking capabilities.  Additionally, there are privacy and security concerns about the actual patient monitoring devices and other peripheral devices such as specialized mobile applications, and other standalone devices to support remote data transmission capabilities.

The Patient Home Environment

While not as complex as the care provider, vendor, or telehealth and RPM systems environments, securing the patient’s home environment is critical to the confidentiality, integrity, and availability of the patient data flowing through the RPM ecosystem. Key components of the patient’s home environment include personal firewalls, cable modems, wireless routers and access points, PC’s, laptops, tablets and smartphones as well as smart home devices (like home security systems and appliances) sitting on the patient’s home network. Other considerations include endpoint security in the patient’s home such as anti-virus and anti-malware software, the endpoint security of any telehealth application residing on a managed or unmanaged mobile device, or specialized standalone devices that participant in the transmission of telemetry data or audio and video connectivity. Added to that, the patient monitoring equipment deployed in the home may be used to perform diagnostic tasks (e.g., blood pressure, glucose levels, BMI/weight measurement) or continuous patient monitoring systems (such as cardiac implanted electrical device monitoring systems) designed to transmit information and alerts about the health of the device as well as the health of the patient.

As stated earlier, the NCCoE project team will perform a risk assessment using the NIST Cybersecurity Framework Version 1.1. on a representative RPM ecosystem stood up in a laboratory environment. The draft document furnished a brief overview how various RPM ecosystem components would be addressed under the Identify (ID), Detect (DE), Protect (PR), Respond (RS), and Recover (RC) NIST CSF framework:

NIST CSF framework

Table adapted from “Securing Telehealth Remote Patient Monitoring Ecosystem: Cybersecurity for the Healthcare Sector.”

If you have remote monitoring systems in place or are planning a remote monitoring system implementation you would be well to perform an end-to-end risk assessment of all the components outlined by The National Cybersecurity Center of Excellence.

At Clearwater, we are experts at implementing the NIST Cybersecurity Framework and we’ve done so successfully for small, medium and very large clients over the years. If you have any questions or would like to discuss plans to implement the NIST Cybersecurity Framework in a current or planned telehealth solution we’d be happy to talk with you about it today.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.
The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Cybersecurity and Resiliency Act (HCCRA) of 2024 is yet another proposed bill aimed at strengthening the healthcare sector’s cybersecurity posture and resilience. It focuses on improving coordination between government organizations, updating cybersecurity standards, increasing breach reporting requirements, and providing grants to rural healthcare organizations that lack both financial and human resources needed to address growing cybersecurity vulnerabilities and increasing threats.

Connect
With Us