NIST SPECIAL PUBLICATION 1800-30
Securing Telehealth Remote Patient Monitoring Ecosystem
Securing Telehealth Remote Patient Monitoring Ecosystem¶
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Jennifer Cawthra*
Nakia Grayson
Ronald Pulivarti
Bronwyn Hodges
Jason Kuruvilla*
Kevin Littlefield
Sue Wang
Ryan Williams*
Kangmin Zheng
*Former employee; all work for this publication done while at employer.
FINAL
This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-30
The second draft of this publication is available free of charge from https://www.nccoe.nist.gov/sites/default/files/legacy-files/rpm-nist-sp1800-30-2nd-draft.pdf
NIST SPECIAL PUBLICATION 1800-30
Securing Telehealth Remote Patient Monitoring Ecosystem
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Jennifer Cawthra*
Nakia Grayson
Ronald Pulivarti
National Cybersecurity Center of Excellence
National Institute of Standards and Technology
Bronwyn Hodges
Jason Kuruvilla*
Kevin Littlefield
Sue Wang
Ryan Williams*
Kangmin Zheng
The MITRE Corporation
McLean, Virginia
*Former employee; all work for this publication done while at employer.
FINAL
February 2022
U.S. Department of Commerce
Gina M. Raimondo, Secretary
National Institute of Standards and Technology
James K. Olthoff, Performing the non-exclusive functions and duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 5 Security and Privacy Characteristic Analysis
- 5.1 Assumptions and Limitations
- 5.2 Pervasive Controls
- 5.3 Telehealth Platform Providers
- 5.4 Risk Assessment (ID.RA and ID.RA-P)
- 5.5 Identity Management, Authentication, and Access Control (PR.AC and PR.AC-P) Protective Technology
(PR.PT-P) - 5.6 Data Security (PR.DS and PR.DS-P)
- 5.7 Anomalies and Events, Security Continuous Monitoring (DE.AE, DE.CM), and Data Processing Management
(CT.DM-P)
- 6 Functional Evaluation
- 7 Future Build Considerations
- Appendix A List of Acronyms
- Appendix B References
- Appendix C Threats and Risks
- Appendix D Problematic Data Actions and Risks
- D-1 Privacy Risk Assessment Methodology
- D-2 Problematic Data Actions and Mitigations
- D-2.1 Privacy Risk 1: Storage and movement of data create multiple points of potential exposure after data are collected from the patient
- D-2.2 Privacy Risk 2: Biometric device types can indicate patient health problems that individuals would prefer not to disclose beyond their healthcare provider
- D-2.3 Privacy Risk 3: Incorrect data capture of readings by devices may impact quality of patient care
- D-2.4 Privacy Risk 4: Aggregated data may expose patient information
- D-2.5 Privacy Risk 5: Exposure of patient information through multiple providers of system components increases the likelihood of exposure of patient data to unintended recipients
- D-3 Additional Program Mitigations Applicable Across Various Data Actions
- Appendix E Benefits of IoT Device Cybersecurity Requirements
- Appendix F Applying the OSI Model in Understanding Zero Trust Architecture
- 1 Introduction
- 2 Product Installation Guide
- Appendix A List of Acronyms
- Appendix B References