NIST Issues Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has issued a draft paper covering the secrecy and safety dangers of telehealth and distant checking appliances together with best practices for safeguarding the telehealth and distant checking ecosystem.

Patient checking systems have conventionally been installed within healthcare services; nevertheless, there has been a surge in the use of distant patient checking systems in patients’ homes in recent years. Although these systems are simple to secure in a controlled atmosphere such as a hospital, the use of these systems in patients’ homes presents new dangers.

Managing the dangers and making sure the distant checking systems and appliances have an equal level of safety as in-house systems can be the main task.

The aim of the paper is to produce a reference architecture which tackles the safety and secrecy dangers and provides practical steps that can be taken to increase the overall safety of the distant patient checking environment.

The paper tackles cybersecurity matters connected to the use of the appliances in patients’ houses, the use of home networks, and patient-owned appliances and identifies cybersecurity measures that can be applied by healthcare companies with RPM and video telehealth capabilities.

“The project team will carry out a risk evaluation on a representative RPM ecosystem in the laboratory setting, apply the NIST Cybersecurity Framework and direction based on medical appliance standards, and cooperate with industry and public partners,” clarified NCCoE.

NCCoE has assessed the following functions of the appliances:

  • Connectivity of appliances and applications installed on patient-owned appliances such as smartphones, laptops, tablets, and desktop computers
  • How applications transfer checking data to healthcare suppliers
  • The capability for patients to interact with their point of contact to start care
  • The capability for data to be analyzed by healthcare suppliers to identify tendencies and issue warnings to clinicians about problems with patients
  • The capability for data to be shared with electronic medical record systems
  • The capability for patients to start videoconference sessions through telehealth appliances
  • The capability for application patches and updates to be connected
  • How a healthcare supplier can create a link with a distant checking appliance to get patient telemetry data
  • How a healthcare supplier can link to a distant checking appliance to update the appliance configuration

The paper doesn’t cover dangers peculiar to third-party telehealth platform suppliers nor does it assess appliance defects and vulnerabilities.

Stakeholders have been requested to remark on the draft paper. Remarks will be accepted until December.

The help document can be downloaded on this link.