Remote Patient Monitoring Platforms Get New Cybersecurity and Privacy Guidelines

Foley & Lardner LLP
Contact

Foley & Lardner LLPNew guidance is available for remote patient monitoring (RPM) companies on cybersecurity and privacy compliance. The National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), has released Securing Telehealth Remote Patient Monitoring Ecosystem. The practice guide offers healthcare organizations and RPM software developers an example architecture to implement cybersecurity and privacy controls and solutions to challenges faced in securing the RPM ecosystem. The guidance is currently in draft and NIST is accepting public comments through December 18, 2020.

RPM services continue to grow in popularity due to their convenience, cost-effective options for patients and providers, and continued expansion of RPM reimbursement by health plans, Medicare, and Medicaid. Historically, most RPM solutions were implemented in controlled and cyber-risk averse environments, such as hospitals or medical facilities. But with the advances of in cloud services, networking and wireless technologies, and biometric device capabilities, RPM solutions provide new ways for clinical teams to directly reach patients in their homes, sometimes in DTC virtual-only service models. Even if the RPM company is not subject to HIPAA, these new healthtech service models raise different cybersecurity and privacy risks. Responsible RPM software developers and tech-enabled service providers need to understand and account for cybersecurity when deploying their RPM offerings.

How Cybersecurity and Privacy Matters in RPM Services and Software

Implementing an RPM solution typically involves multiple parties, locations, and the deployment of biometric devices, which all contribute to increased cybersecurity and privacy risk exposure to the provider and patient. NCCoE built a testing environment that simulated an RPM solution provided by a clinical team to patients in the home. The simulated RPM solution was offered by a telehealth platform provider that incorporates cloud services and audio-video conferencing capabilities between the patient and clinical team, implemented using commercially available cybersecurity technologies. The patients received RPM devices that automatically accessed and transmitted biometric physiologic data and communications between the patient and the remote clinical team. NCCoE then performed a risk assessment based on the NIST SP 800-37 Revision 2, Risk Management Framework for Information System and Organizations, which constituted the basis for the draft guidelines.

Key Elements of the New Guidelines

The NCCoE guide offers a documented approach for RPM entrepreneurs and software developers to implement cybersecurity and privacy controls and policies. It maps sector-specific standards and best practices, such as the HIPAA Security Rule, that companies should address, including for example:

  • Identifying and implementing controls and policies which assist in the development of organizational awareness of risk.
  • Implementing appropriate safeguards to provide for end-to-end data security between patients and organizations.
  • Detecting anomalies and security events through appropriate security controls (i.e., a security incident event management tool) and performing security continuous monitoring.
  • Responding to and mitigating security events and vulnerabilities to contain the impact of cybersecurity incidents.
  • Recovering and resuming normal operations after a cybersecurity incident.

Ultimately, the NCCoE guidance provides a roadmap and best practices for RPM companies and providers to follow for cybersecurity and privacy measures. As with all technology solutions, an end-to-end risk assessment should be performed that takes into account the specific characteristics, settings, and variations an organization or operation presents. We will continue to monitor for any rule changes or guidance on cybersecurity and privacy issues in the telemedicine and digital health industry.

[View source.]

Written by:

Foley & Lardner LLP
Contact
more
less

Foley & Lardner LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.