The NIST National Cybersecurity Center of Excellence released the final version of the Securing Telehealth Remote Patient Monitoring Ecosystem guidance, designed to support provider organizations with keeping telehealth and remote patient monitoring secured.
The guidance aims to tackle the traditional patient monitoring platforms in the healthcare infrastructure, as well as monitoring equipment used by patients outside of the hospital setting. The new remote care capabilities include third-party platform providers using videoconferencing, cloud or internet technologies, among others.
“As the use of these capabilities continues to grow, it is important to ensure the infrastructure supporting them can maintain the confidentiality, integrity, and availability of patient data,” NCCoE explained with the release. “Risks are distributed across the solution architecture, and the methods by which one may mitigate those risks vary in complexity.”
While entities aren’t able to “manage and deploy privacy and cybersecurity controls unilaterally, they retain the responsibility to ensure that appropriate controls and risk mitigation are applied,” they added.
It’s been two years since NCCoE set up the telehealth project focused on addressing the risk posed by telehealth tech. The effort included collaboration with healthcare, tech and telehealth entities and a request for comment period for other relevant stakeholders to develop an effective framework centered around a standards-based approach to much-needed remote care tech.
Since that time, the ongoing pandemic and the healthcare response have led to an explosion in telehealth adoption and remote patient monitoring, enabling better care continuity and patient support.
While these platforms offer convenience and increase cost effectiveness for patients, NIST researchers stressed the lack of adequate privacy and cybersecurity measures may inadvertently lead to patient privacy and data security risks.
Through its collaboration, NCCoE developed a reference guide that breaks down recommended standards-based approaches and the cybersecurity tech able to support the implementation of effective privacy and cybersecurity controls. In tandem, provider organizations should effectively enhance the resilience of their telehealth and remote care ecosystem.
NCCoE researchers explained the guide can help healthcare entities identity risks associated with their current telehealth ecosystem, as well as how the NIST Privacy Framework can be used to broaden understanding of current privacy challenges.
Entities can use the guide to find best practices means for partnering with the right telehealth vendors that leverage and apply the most effective cybersecurity and privacy control deployment and management policies and procedures, while ensuring efficacy of the solutions.
NCCoE also included considerations for selecting and implementing new platforms able to augment the safeguards of data communications, along with NIST Cybersecurity for the Internet of Things program guidance that informs capabilities and nontechnical supporting capabilities of medical device cybersecurity for the secure deployment and configuration of RPM ecosystems.
The practice guidances details the involvement of workforce members, in collaboration with effective processes and technology to create a “holistic risk mitigation strategy.” For NIST, the hope is to support “risk assessment approaches to determine where risks may occur and used assessment processes to identify applicable controls.”
In short, “technology solutions alone may not be sufficient to maintain privacy and security controls on external environments.”
The guidance is tailored to business decision makers, technology, security and privacy managers, and IT professionals. NCCoE is encouraging interested parties to provide feedback on the insights to inform areas of needed improvement.