The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has issued a draft paper explaining the risks to the privacy and security of telehealth and remote monitoring devices and offers recommendations for protecting the telehealth and remote monitoring ecosystem.
Healthcare facilities have been traditionally been using patient monitoring systems within their facilities, but they are now increasingly being used by patients at home. Although these devices are simple to secure in a controlled setting like a hospital, using these products in patients’ homes introduces risks that are harder to address. Reducing those risks to an acceptable level and ensuring remote monitoring systems and tools have a similar level of security as in-house systems is a big challenge.
NCCoE hopes the paper will serve as a reference for healthcare organizations and will offer sensible steps to take to improve the security of the remote patient monitoring ecosystem.
The paper explores cybersecurity issues associated with usage of the devices in homes, home networks, and the use of patient-owned devices. The paper also identifies cybersecurity measures that can be implemented by healthcare organizations that have RPM and video telehealth functions.
A NIST/NCCoE project team conducted a risk analysis on a representative RPM ecosystem in the lab, used the NIST Cybersecurity Framework and guidance according to medical device specifications, and worked together with industry and public partners when writing the guidance.
Risks distinct to third party telehealth platform vendors are not covered by the paper and neither are vulnerabilities and flaws of specific devices. The NCCoE paper is mostly concerned with:
- How devices and applications used on patient-owned devices including laptops, tablets, desktop computers and smartphones are accessed
- How applications send patient monitoring data to healthcare providers
- The means for patients to communicate with their point of contact to initiate care
- The capability for data to be reviewed by healthcare providers to determine trends
- How alerts are sent to physicians about patient problems
- The capability for data to be transferred to electronic medical record systems
- The capability for patients to start video conference sessions via telehealth applications
- The installation of application updates and patches
- How a healthcare professional could set up a network with a remote monitoring device in order to get patient telemetry data
- How a healthcare professional can connect to a remote monitoring device for updating device settings
The guidance can be downloaded on the following link: