Securing Telehealth Remote Patient Monitoring Ecosystem

Traditionally, patient monitoring systems have been deployed in healthcare facilities, in controlled environments. Remote patient monitoring (RPM), however, is different in that monitoring equipment is deployed in the patient’s home. These new capabilities can involve third-party platform providers utilizing videoconferencing capabilities, and may leverage cloud and internet technologies coupled with RPM devices. As the use of these capabilities continues to grow, it is important to ensure the infrastructure supporting them can maintain the confidentiality, integrity, and availability of patient data.

A distributed solution that enables health delivery organizations to better secure their remote patient monitoring ecosystem.

Telehealth remote patient monitoring (RPM) solutions enable patients with chronic or recurring conditions to receive continuous monitoring and treatment from care providers while in their homes. The project team performed a risk assessment on a representative RPM ecosystem in the laboratory environment, applied the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborated with industry and public partners. This project demonstrates how an organization may implement a solution to enhance privacy and secure their telehealth RPM ecosystem.
Status: Reviewing Comments

The public comment period has closed for the second draft of NIST Special Publication 1800-30, Securing Remote Patient Monitoring Ecosystem. Thank you to everyone who shared their feedback with us. We are currently reviewing the comments received as work continues on the implementation of the demonstration and development of other sections of the publication. 

Project Abstract

Increasingly, healthcare delivery organizations (HDOs) are relying on telehealth and RPM capabilities to treat patients at home. RPM is convenient and cost-effective, and its adoption rate has increased. However, without adequate privacy and cybersecurity measures, unauthorized individuals may expose sensitive data or disrupt patient monitoring services. RPM solutions engage multiple actors as participants in patients’ clinical care. These actors include HDOs, telehealth platform providers, and the patients themselves. Each participant uses, manages, and maintains different technology components within an interconnected ecosystem, and each is responsible for safeguarding their piece against unique threats and risks associated with RPM technologies.

This practice guide assumes that the HDO engages with a telehealth platform provider that is a separate entity from the HDO and patient. The telehealth platform provider manages a distinct infrastructure, applications, and set of services. The telehealth platform provider coordinates with the HDO to provision, configure, and deploy the RPM components to the patient home and assures secure communication between the patient and clinician.

The NCCoE analyzed risk factors regarding an RPM ecosystem by using risk assessment based on the NIST Risk Management Framework. The NCCoE also leveraged the NIST Cybersecurity Framework, NIST Privacy Framework, and other relevant standards to identify measures to safeguard the ecosystem. In collaboration with healthcare, technology, and telehealth partners, the NCCoE built an RPM ecosystem in a laboratory environment to explore methods to improve the cybersecurity of an RPM.

Each participant uses, manages, and maintains different technology components within an interconnected ecosystem, and each is responsible for safeguarding their piece against unique threats and risks associated with RPM technologies.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

 

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member of this project's COI.

Request to join
Employee speaking on video call with colleagues on online briefing with laptop at home