By Eric Wicklund, mHealth Intelligence | August 29, 2019
Federal regulators are asking for examples from telehealth providers on how they offer secure remote patient monitoring programs.
The National Institute on Standards and Technology (NIST) is set to post a notice in this week’s Federal Register calling for help from the connected health industry “to provide an architecture that can be referenced and guidance for securing a telehealth remote patient monitoring (RPM) ecosystem in healthcare delivery organizations (HDOs) and patient home environments, including an example solution that uses existing, commercially, and open-source available cybersecurity products.”
Backed by growing support from payers (including Medicare) and improved telemedicine technology, hospitals and health systems are launching RPM programs to gain insight into their patients’ activities outside the healthcare site. They’re using everything from mHealth wearables to telehealth platforms with wireless devices and smart systems to gather physiological and other data to improve care management and coordination.
But these programs aren’t without their security concerns, particularly since they extend outside the four walls of the hospital or doctor’s office. Wireless networks, platforms and devices are prone to being hacked, giving access to valuable and sensitive health information.
The challenge lies in incorporating and integrating new technologies that don’t traditionally meet the rigorous privacy and security standards expected in the healthcare industry, most often because they’ve been developed by innovators in other industries and adapted to healthcare. This includes consumer-facing mHealth devices like the Fitbit and Apple Watch, as well as video platforms like Skype and You Tube.
The project is being overseen by the NIST’s National Cybersecurity Center of Excellence.
“Traditionally, patient monitoring systems have been deployed in healthcare facilities, in controlled environments,” the NCCoE notes on its website. “Remote patient monitoring (RPM), however, is different in that monitoring equipment is deployed in the patient’s home. These new capabilities, which can involve third-party platform providers utilizing videoconferencing capabilities, and leveraging cloud and internet technologies coupled with RPM devices, are used to treat numerous conditions, such as patients battling chronic illness or requiring post-operative monitoring.”
The project builds off a report published in May 2019 on the challenges of securing an RPM platform.
“As use of these capabilities continues to grow, it is important to ensure that the infrastructure supporting them can maintain the confidentiality, integrity, and availability of patient data, and to ensure the safety of patients,” that report noted. “It is also important to ensure the privacy of patient data by considering the privacy engineering objectives of predictability, manageability, and disassociability of data.”
The project’s goal, officials say, is to create an NIST Cybersecurity Practice Guide specifically for RPM programs. Comments on this proposal are due to NIST by September 30.