Back in November, the National Cybersecurity Center of Excellence at NIST, the National Institute of Standards and Technology, issued a draft paper outlining a project it plans to undertake to provide a reference architecture addressing the security and privacy risks for healthcare delivery organizations leveraging telehealth capabilities, such as remote patient monitoring.
Traditionally, patient monitoring systems have been deployed in healthcare facilities, in controlled environments. Remote patient monitoring (RPM), however, is different in that monitoring equipment is deployed in the patient’s home, according to NIST’s NCCoE. NIST is housed within the Department of Commerce.
These new capabilities, which can involve third-party platform providers utilizing videoconferencing capabilities, and leveraging cloud and internet technologies coupled with RPM devices, are used to treat numerous conditions, such as patients battling chronic illness or requiring post-operative monitoring. As the use of these capabilities continues to grow, it is important to ensure the infrastructure supporting them can maintain the confidentiality, integrity, and availability of patient data, as well as ensure the safety of patients, according to NCCoE.
To address these security, privacy and safety concerns, NCCoE aims to provide a practical solution for securing the telehealth RPM ecosystem. The NCCoE project team will perform a risk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners. The project team will also create a reference design and a detailed description of the practical steps needed to implement a secure solution based on standards and best practices, according to the organization.
This project will result in a publicly available National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide, a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.
The NCCoE sought public feedback on the project, which was detailed in a draft released in November called “Securing Telehealth Remote Patient Monitoring Ecosystem.”
The American Medical Informatics Association (AMIA) is one industry organization that has voiced support for the NCCoE project to develop guidance around security and privacy risks associated with remote patient monitoring.
In written comments about the project, AMIA president and CEO Doug Fridsma says he “foresees a future of care delivery and disease management that will rely heavily on RPM,” due to a “confluence of shifting and/or diminished reimbursement, aging and chronically ill population growth, and continued depopulation of rural areas.”
Securing these systems and ensuring trust in the data generated by these systems is an utmost priority, and is at the heart of consumers’ ability to obtain care and manage their health, Fridsma noted in the written comments.
Among its recommendations, AMIA advises the NCCoE to leverage existing mobile infrastructure and health IT standards.
“The ultimate spread, scale, and usage of these RPM tools will likely depend more on the commercial marketplace than the short-and long-term plans of healthcare institutions. Further, patients/consumers will use the tools that they are familiar and fits best into their individual ‘workflows.’ Securing the existing mobile infrastructure where individuals perform most of their day-to-day living will improve the likelihood that healthcare specific tasks will succeed,” Fridsma noted.
Fridsma also noted that AMIA recommends NIST focus on data security and integrity that provides data provenance and supports consistent semantic meaning of the data across RPM manufacturers.
