The National Cybersecurity Center of Excellence (NCCoE) is a US government organisation that builds and shares solutions to potential cybersecurity threats faced by US businesses. The NCCoE is a part of the National Institute of Standards and Technology, a non-regulatory federal agency within the US Department of Commerce.
Earlier this month, NCCoE released a draft paper entitled “Securing Telehealth Remote Patient Monitoring Ecosystem: Covering Cybersecurity for the Healthcare Sector”. Telehealth may be broadly described as providing a health-related service through electronic telecommunication technologies. The document aims to provide “practical solutions” for ensuring telehealth remains secure, and that telehealth infrastructure “can maintain the confidentiality, integrity, and availability of patient data, and to ensure the safety of patients”.
In particular, the document focuses on remote patient monitoring (RPM) technologies. These technologies allow medical professions to monitor their patient outside of a traditional clinical setting. Proponents of the technology state that it will allow wider access to healthcare service, and ultimately drive the cost of medical care down. Patients may be able to stay in the comfort of their own homes and still access quality medical care, allowing them increased independence and saving them from paying expensive hospital fees. However, the increased use of RPM technologies are is not without risk. Deploying such technology in a patient’s home provides unprecedented technological and physical security issues. Identifying all possible vulnerabilities, managing these risks and ensuring a robust level of security is a major challenge.
The NCCoE’s report aims to provide best practices for “improving the overall security in the RPM environment”. By providing guidelines of practical steps which healthcare organisations, patients and relevant third-parties can follow, it is hoped that the overall security of RPM environments may be improved. The report also provides a risk assessment on a representative RPM system in a laboratory environment.
Some risks are of particular concern to those who are sceptical about the use of RPM environments. If these devices were to be hacked by cybercriminals, the protected health information (PHI) of patients may be stolen and used for malicious purposes, such as identity fraud. The device may be vulnerable to malware, and its performance may be compromised, at great risk to the patient. Recently, the FDA highlighted serious cybersecurity risks surrounding medical devices. The transmission of PHI between medical devices must follow the standards outlined in the Health Insurance Portability and Accountability Act (HIPAA).
“The project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners,” explained NCCoE.
NCCoE has evaluated the following functions of the devices:
- Connectivity of devices and applications deployed on patient-owned devices such as smartphones, tablets, laptops, and desktop computers
- How applications transmit monitoring data to healthcare providers
- The ability for patients to interact with their point of contact to initiate care
- The ability for data to be analyzed by healthcare providers to identify trends and issue alerts to clinicians about issues with patients
- The ability for data to be shared with electronic medical record systems
- The ability for patients to initiate videoconference sessions through telehealth applications
- The ability for application patches and updates to be installed
- How a healthcare provider can establish a connection with a remote monitoring device to obtain patient telemetry data
- How a healthcare provider can connect to a remote monitoring device to update the device configuration
The paper does not cover risks specific to third party telehealth platform providers nor does it evaluate device vulnerabilities and defects. The paper does not cover secure software development practice in detail.
Stakeholders (including patients; providers; payers; federal, state, and local governments) have been invited to comment on the draft paper. Comments will be accepted until December.
The guidance document can be here.