Securing the Remote Patient Monitoring Ecosystem

By George W. Jackson, Jr.

Senior Principal Consultant at Clearwater Compliance

Every CISO knows that April 2019 was a grim milestone: the worst month for healthcare data breaches since 2010 when the Office for Civil Rights began reporting healthcare data breaches of 500 individuals or more publicly. In April, 44 breaches were reported and the medical records of nearly 700,000 people were compromised.

Unfortunately, those numbers may soon shoot higher as remote patient monitoring (RPM) becomes more commonplace. To date, the cybersecurity performance of telehealth platforms has been good – mainly because the platforms connect covered entities that have well-established cybersecurity procedures and protocols. But the new frontier in telehealth is RPM, where data is collected and transmitted from the patient’s home – a far less secure environment.

Why RPM Is Increasing Rapidly

Last year, the Centers for Medicare and Medicaid Services (CMS) finalized its plans for reimbursing healthcare providers for certain remote patient monitoring services. CMS created three new billing codes for Chronic Care Remote Physiologic Monitoring. One of the new codes allows RPM services to be performed not only by physicians but by RNs and medical assistants. Some studies are predicting that the RPM market will reach a staggering $31.3 billion by the end of 2023.

Anticipating this spike in RPM care, the National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), has launched the “Securing Telehealth Remote Patient Monitoring Ecosystem” research project. The NCCoE team will apply the NIST Cybersecurity Framework to perform a risk assessment on a representative RPM ecosystem in the laboratory environment. The study will closely examine how clinicians at health delivery organizations (HDOs) leverage telehealth technology to remotely monitor patients battling a chronic illness or requiring post-operative monitoring.

According to the final project description, researchers are making these assumptions:

• Patient monitoring devices (e.g., blood pressure cuffs, body mass index [BMI]/weight scales) may leverage commercially available communications (e.g., Bluetooth, Wi-Fi/ wireless, or cellular) to transmit telemetry data to the home monitoring application.
• The home monitoring application is a provider-managed solution that may be installed on a provider-managed or unmanaged patient-owned mobile device.
• The home monitoring application may transmit telemetry data to the remote monitoring server via a cellular or Wi-Fi connection.
• The patient is in his or her home during the telehealth interaction (e.g., video, patient monitoring).
• Video telehealth interactions may leverage patient-owned devices or devices provided by the primary care facility.
• Clinicians participating in telehealth interactions use secured communications methods.

Evaluation Overview

Here are some of the functions that the project is likely to evaluate:

• Connectivity between monitoring devices and applications deployed to mobile devices (e.g., smartphones, tablets) or to patient workstations (e.g., laptops, desktops)
• The patient’s ability to initiate requests and receive medical alerts and notifications
• Ability for the patient to receive and apply security updates and patches for applications
• Ability for the monitoring data to be analyzed by the HDO to spot trends and to issue possible alerts to the clinician if the data suggests that there is an issue with the patient
• Ability for the patient monitoring data to be shared remotely with the electronic health record system
• Ability for the HDO to update the security functionality of the remote monitoring device

For this project, two separate environments will be constructed: the HDO environment and the patient home setting. Figure 1 below shows the high-level architecture for RPM that uses a third-party telehealth platform provider. However, the risks and concerns specific to the third-party provider are out of scope for this project. In addition, this project will not evaluate monitoring devices but will instead focus on the medical diagnostic aspects of remote patient monitoring.

Image courtesy of NCCoE and NIST

Leveraging the NIST Cybersecurity Framework

NCCoE’s research project will be guided by the NIST Cybersecurity Framework, which for the last five years has been the most widely used set of standards, guidelines and best practices for managing cybersecurity-related risk.

The key components of the Framework methodology are:

Identify – Pinpoint activities foundational to developing an organizational understanding to manage risk

Protect – Guard the activities that support the ability to develop and implement appropriate safeguards based on risk

Detect – Enable the timely discovery of a cybersecurity event

Respond – The ability to develop and implement activities to contain the impact of a detected cybersecurity event

Recover – The ability to develop and implement activities that support the timely recovery of normal operations after a cybersecurity incident

Get a Head Start on RPM Cybersecurity
This is a great time for CISOs of healthcare organizations to prepare for the cybersecurity recommendations of the NCCoE RPM project now underway. The first – and most important step – is to find a company that has extensive experience with the NIST Cybersecurity Framework version 1.1. This partner can conduct a risk analysis to ensure that the healthcare organization has solutions in place that are fully aligned with the NIST standards for remote patient monitoring that will soon be finalized.

About The Author
George W. Jackson, Jr. is a Senior Principal Consultant at Clearwater Compliance. He holds a Ph.D. in Cybersecurity from Capella University. He can be reached at [email protected] or on the company website: www.ClearwaterCompliance.com