New guidance is available for remote patient monitoring (RPM) companies on cybersecurity and privacy compliance. The National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), has released Securing Telehealth Remote Patient Monitoring Ecosystem. The practice guide offers healthcare organizations and RPM software developers an example architecture to implement cybersecurity and privacy controls and solutions to challenges faced in securing the RPM ecosystem. The guidance is currently in draft and NIST is accepting public comments through December 18, 2020.
RPM services continue to grow in popularity due to their convenience, cost-effective options for patients and providers, and continued expansion of RPM reimbursement by health plans, Medicare, and Medicaid. Historically, most RPM solutions were implemented in controlled and cyber-risk averse environments, such as hospitals or medical facilities. But with the advances of in cloud services, networking and wireless technologies, and biometric device capabilities, RPM solutions provide new ways for clinical teams to directly reach patients in their homes, sometimes in DTC virtual-only service models. Even if the RPM company is not subject to HIPAA, these new healthtech service models raise different cybersecurity and privacy risks. Responsible RPM software developers and tech-enabled service providers need to understand and account for cybersecurity when deploying their RPM offerings.
How Cybersecurity and Privacy Matters in RPM Services and Software
Implementing an RPM solution typically involves multiple parties, locations, and the deployment of biometric devices, which all contribute to increased cybersecurity and privacy risk exposure to the provider and patient. NCCoE built a testing environment that simulated an RPM solution provided by a clinical team to patients in the home. The simulated RPM solution was offered by a telehealth platform provider that incorporates cloud services and audio-video conferencing capabilities between the patient and clinical team, implemented using commercially available cybersecurity technologies. The patients received RPM devices that automatically accessed and transmitted biometric physiologic data and communications between the patient and the remote clinical team. NCCoE then performed a risk assessment based on the NIST SP 800-37 Revision 2, Risk Management Framework for Information System and Organizations, which constituted the basis for the draft guidelines.
Key Elements of the New Guidelines
The NCCoE guide offers a documented approach for RPM entrepreneurs and software developers to implement cybersecurity and privacy controls and policies. It maps sector-specific standards and best practices, such as the HIPAA Security Rule, that companies should address, including for example:
- Identifying and implementing controls and policies which assist in the development of organizational awareness of risk.
- Implementing appropriate safeguards to provide for end-to-end data security between patients and organizations.
- Detecting anomalies and security events through appropriate security controls (i.e., a security incident event management tool) and performing security continuous monitoring.
- Responding to and mitigating security events and vulnerabilities to contain the impact of cybersecurity incidents.
- Recovering and resuming normal operations after a cybersecurity incident.
Ultimately, the NCCoE guidance provides a roadmap and best practices for RPM companies and providers to follow for cybersecurity and privacy measures. As with all technology solutions, an end-to-end risk assessment should be performed that takes into account the specific characteristics, settings, and variations an organization or operation presents. We will continue to monitor for any rule changes or guidance on cybersecurity and privacy issues in the telemedicine and digital health industry.