“Telehealth” refers to a wide range of technologies to connect patients to health care services through videoconferencing, remote monitoring, electronic consultations and wireless communications. Just like you would expect your virtual conversation with your doctor to be private and secure, you would also want to be sure that all your other health information that is transmitted over the internet or cellular networks is also protected.
In October 2018, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) launched a project focusing on the cybersecurity and privacy challenges surrounding monitoring the health of patients remotely via telehealth. When we started the project, telehealth was for the most part only available to patients in rural areas or in a health care setting, but has since exploded to become more accessible.
Who knew then that in 18 months even more patients — under stay-at-home orders and eager to avoid being exposed to the coronavirus — would choose telehealth over traditional doctor visits? In addition to being a safer option during a pandemic by allowing patient and clinician to maintain a safe distance from each other, telehealth allows the patient to remain in the comfort of their home during recovery or monitoring. It also can provide better access to health care for patients, ease access to patient data and allow the clinician to deliver higher-quality care to more patients.
For this project, my team and I are focused on remote patient monitoring (RPM). RPM is a convenient and cost-effective service for patients who have health conditions that require regular clinician monitoring, and typically where in-person visitation is impractical. Clinicians use sensors connected to internet-based technologies to track the patient’s vital signs (e.g., blood pressure, heart rate, weight, glucose levels, etc.) while the patient remains in their home.
As the growth and popularity of telehealth increases, it is critical to evaluate the security and privacy risks. We are working closely with the NIST privacy team to ensure we capture a complete picture of the risks. Once identified, we implement security controls such as encryption to minimize the security and privacy risks to the patients and other participants.
We augmented our NCCoE team with private industry collaborators representing technology vendors, health care cybersecurity experts and health systems representatives. Our collaborators responded to a call in the Federal Register. Companies with relevant products and expertise were invited to participate in a consortium to build an example solution that improves the security and privacy for the wide range of devices and systems used to facilitate communication between the patient and the health care provider.
With our team finalized in early March, we were off to a great start.
That was short-lived, however, as everything soon changed due to the COVID-19 pandemic. We no longer had physical access to our lab, and gone were the days when we could jointly huddle over a laptop to collaboratively troubleshoot issues. Also gone were the impromptu discussions over coffee. Instead, we could only have online meetings. Accepting our new situation, we quickly pivoted to using a variety of collaboration tools to work with our industry team members to remotely install, configure and integrate their technologies to build an example solution. We are currently finalizing it and will test it to ensure it addresses the cybersecurity and privacy challenges.
Fortunately, this new reality hasn’t really slowed down our team’s work.
In assessing the RPM ecosystem, we identified three primary domains: the health delivery organization (HDO), the telehealth provider, and the patient home. Because each domain is managed and used by different people or organizations with different skill levels, the risks of accidental security misconfigurations and other threats may manifest differently. The patient, however, is the primary actor in the RPM scenario as they are the ones hooking themselves up to the various monitoring devices and using the systems that communicate with care providers.