Patient monitoring systems have traditionally been used in hospitals and other controlled environments. Remote Patient Monitoring (RPM), on the other hand, is distinct in that the monitoring equipment is placed in the patient’s home. These new technological capabilities could include telemedicine and videoconferencing from third-party platform providers, as well as cloud-based platforms combined with patient monitoring devices. As the use of these capabilities expands, it’s critical to ensure that the infrastructure that supports them can protect patient data’s confidentiality, integrity, and availability.
Why is a Remote Patient Monitoring Cybersecurity Framework vital?
Criminals searching the internet for their next victim may turn their attention to the Remote Patient Monitoring ecosystem if proper precautions are not taken. Security breaches are a concern for both healthcare professionals and patients. Even with current established protocols and procedures on the healthcare facility’s server, data transmission to the patient’s home may be less secure. Many criminals may look for a weakness in RPM’s overall cyber defenses and exploit it to access medical health data. It’s critical to introduce new controls and put in place appropriate safeguards when using RPM to keep medical information secure. RPM technology has introduced unknown security risks and may have opened new doors for cybercriminals looking for patient or provider information.
Telehealth makes healthcare more personal as it develops, making it more accessible to a wider range of people. For those who live in remote or rural areas, this has proven to be critical. A patient with a life-threatening illness may not be able to travel to see their doctor. They can talk to someone right away thanks to RPM and telehealth. This also allows doctors and providers to receive and access data in real time, allowing them to directly address concerns. This can result in faster prescriptions, saving both parties time and money on a visit to the doctor’s office or waiting for an appointment.
Artificial Intelligence is currently being used to transform how a provider interacts with their patients. As a result, as more smart automated processes are introduced into RPM services, data collection and even processing are being put on autopilot.
Knowing what to expect is an important part of keeping systems and patient data secure. Every type of data collection has its own set of security concerns that must be addressed as new technology introduces new issues. Wearable patient monitoring is one of them. Any data collected from a caregiver or a patient to assist healthcare providers in addressing any health concerns is referred to as patient-generated health data, or PGHD. RPM collects all data from mobile medical devices and transmits it to servers which allow health care providers to monitor patients continuously and in real-time. This type of monitoring is more common in chronically ill patients or those who are at high risk, such as the elderly. RPM gives providers immediate access to a patient’s medical data, allowing them to address any health concerns right away. Glucose meters, heart rate and blood pressure monitors, surveillance monitors, and drug abuse home tests are just a few examples.
NCCoE and NIST Cybersecurity Best Practices for Remote Patient Monitoring
The “Securing Telehealth RPM Ecosystem” project has been launched by the National Cybersecurity Center of Excellence (NCCoE). The NCCoE has used the NIST Cybersecurity Framework for all risk management performances in a lab environment as part of this research project. It looked at how clinics and other healthcare providers use RPM with patients who have chronic illnesses or who require post-operative monitoring.
NIST encourages all organizations to review and consider using the Framework to understand and manage their cybersecurity risk, including for-profit businesses, non-profit organizations, and government agencies. It provides a common language that everyone can use to communicate their cybersecurity risks and expectations to suppliers and customers alike. Because the Framework is risk-based, organizations can use it to determine the appropriate level of cybersecurity for their specific risk environment, requirements, and business goals. The Cybersecurity Framework easily integrates with the many excellent standards and practices already in place, allowing users to take advantage of what’s working now and what will emerge in the future.
In Telehealth, the use of third-party platforms with video conferencing capabilities, as well as cloud devices and RPM, will continue to grow and progress. It’s critical for the security of both patients and providers that any infrastructure supporting them maintains the integrity, confidentiality, and privacy of all patient data, and ultimately protects the patients involved.
The new generation of RPM will reach into a patient’s home, the telehealth platform, and the healthcare delivery organization’s provider. It’s also the first look at the flow of data between all of these environments, as well as the various points where a security flaw could exist. This also allows for the implementation of safeguards to protect a patient’s privacy while receiving care in the privacy of their own home. While a healthcare facility provides a more controlled environment, deploying RPM to a patient’s home could introduces security risks if cybersecurity is not addressed. The NIST Cybersecurity Framework has become an important part of a healthcare systems safety net, ensuring the security of all telehealth and RPM services and devices.
The 5 Functions DrKumo Remote Patient Monitoring implements in their Strong Cybersecurity Framework
DrKumo, leader in Next-Generation Real-time Remote Patient Monitoring, complies with the standards presented by NIST and NCCoE to preserve medical health data privacy. DrKumo ensures that all of the data required for telehealth and RPM services are accessed remotely via safe and secure channels. Here are the cybersecurity measures that DrKumo follows based on the five functions[1] of NIST Cybersecurity Framework:
Identify
According to NIST, the Identify Function aids in the development of a corporate understanding of cybersecurity risk to systems, people, assets, data, and capabilities. An organization can focus and prioritize its efforts in accordance with its risk management strategy and business needs by understanding the business context, the resources that support critical functions, and the related cybersecurity risks.
DrKumo identifies the following important aspects to ensure successful and holistic cybersecurity systems: physical and software assets, organization’s role in the supply chain especially in infrastructure division; cybersecurity policies established within the firm and legal requirements regarding cybersecurity capacity of DrKumo; asset vulnerabilities, threats and risk responses as part of the company’s Risk Assessment procedures; and a Supply Chain Risk Management strategy.
Protect
The Protect Function lays out the safeguards that must be in place to ensure the delivery of critical infrastructure services while maintaining privacy. The Protect Function aids in limiting or containing the scope of a potential cybersecurity incident.
DrKumo protects by using strict access control within the organization including physical and remote access. It also trains staff to better understand their roles in Data Security Protection with the goal of protecting confidentiality, integrity, and availability of information. DrKumo also consistently monitors, develops and implements Information Protection Processes and Procedures and manages its technologies to ensure the security and resiliency of its systems.
Detect
NIST defines the Detect Function as a way to specify the activities that should be carried out in order to detect the occurrence of a cybersecurity event. The Detect Function enables the detection of cybersecurity events in real time.
DrKumo develops strong procedures to ensure that anomalies are detected and all the staff understand its impact against the systems. To make sure all the assets are protected, DrKumo deploys technology experts who implement continuous monitoring of cybersecurity activities as a primary protective measure.
Respond
The Respond Function consists of activities that should be carried out in response to a detected cybersecurity incident. The ability to contain the impact of a potential cybersecurity incident is supported by the Respond Function.
DrKumo develops a concrete Response Plan which includes communicating directly with the internal and external stakeholders and law enforcement during and after an incident; making a thorough analysis to determine the root and impact of an incident; and mitigation activities to prevent expansion and then achieve a permanently resolution of the incident.
Recover
The Recover Function determines appropriate activities for maintaining resiliency plans and restoring any capabilities or services that have been harmed as a result of a cybersecurity incident. To minimize the impact of a cybersecurity incident, the Recover Function facilitates a quick return to normal operations.
DrKumo has developed a way to recover potential attacks that might happen in the future. DrKumo implements a Recover Planning process to make sure all systems and assets will be restored safely and securely.
Takeaway
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a set of standards, guidelines, and best practices for managing cybersecurity risk. The Framework’s prioritized, flexible, and cost-effective approach aids in the protection and resilience of critical infrastructure and other economic and national security-related sectors. It is important to choose an RPM partner which complies with these requirements to keep pace with the evolution of technology in healthcare without compromising the security of patients, providers, and the entire health systems.
References:
- NIST. (2021, May 12). The Five Functions. Retrieved from https://www.nist.gov/cyberframework/online-learning/five-functions