NIST, MITRE offer cybersecurity tips for telehealth deployments
Update: HIMSS20 has been canceled due to the coronavirus. Read more here.
As telehealth and remote patient monitoring gain favor across healthcare, there's a critical component that providers should keep top-of-mind: cybersecurity.
At HIMSS20, Jennifer Cawthra, healthcare sector lead at the National Institute of Standards and Technology, and Sue Wang, principal cybersecurity engineer at The MITRE Corporation, will offer their perspective on cyber risks associated with telehealth remote patient monitoring – and strategies to safeguard against them.
Their talk finds its roots in a project from NIST and the National Cybersecurity Center of Excellence, Securing Telehealth Remote Patient Monitoring Ecosystem.
"Traditionally, patient monitoring systems have been deployed in healthcare facilities, in controlled environments," NIST officials explain. "Remote patient monitoring, however, is different in that monitoring equipment is deployed in the patient’s home."
As the use of third-party platforms with videoconferencing capabilities, alongside cloud and RPM devices, continues to spread, "it is important to ensure the infrastructure supporting them can maintain the confidentiality, integrity, and availability of patient data, as well as ensure the safety of patients."
Cawthra and Wang will describe the end-to-end architecture that comprises the telehealth ecosystem, showing the different points where security vulnerabilities exist. They'll also detail various controls that can be implemented to help safeguard patients’ privacy as they're cared for in the home.
"There's a variety of risks," said Cawthra. "Data integrity and data confidentiality. Ensuring that data is secure both at rest and in transit – and ensuring that only people who are authorized to view or modify that data have the privileges to do so."
"With remote patient monitoring, essentially this is the first time we are looking into the patient's home, the telehealth platform and the healthcare delivery organization – looking at the data flowing from all three environments," said Wang.
The challenge is that, while providers naturally want and need to protect their patient data, she telehealth and RPM don't exist in a very managed or controlled environment, and the patient is a "key actor" in a way they aren't in the hospital.
The NIST Cybersecurity Framework is a key starting point for hospitals looking to get their arms around telehealth security, says Wang.
"Our project it is a risk-based approach. The main driving force is for us to use the Cybersecurity Framework. A lot of good cybersecurity principles are applicable here. We really emphasize fundamental cyber hygiene. The Cybersecurity Framework is a good foundation, and we link to specific examples related to remote patient monitoring."
HIMSS20 attendees can learn more at Cawthra and Wang's education session on March 12, and also at HIMSS Federal Health Pavilion (Hall D, Booth 7089), where NIST will present other cybersecurity-focused sessions on March 10 and March 11.
Cawthra and Wang will home in on RPM security in their HIMSS20 session "Cybersecurity Risks of Telehealth Remote Patient Monitoring." It's scheduled for Thursday, March 12, from 11:30 a.m. to 12:30 p.m. in room W230A.