“Telehealth” refers to a wide range of technologies to connect patients to health care services through videoconferencing, remote monitoring, electronic consultations and wireless communications. Just like you would expect your virtual conversation with your doctor to be private and secure, you would also want to be sure that all your other health information that is transmitted over the internet or cellular networks is also protected.
In October 2018, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) launched a project focusing on the cybersecurity and privacy challenges surrounding monitoring the health of patients remotely via telehealth. When we started the project, telehealth was for the most part only available to patients in rural areas or in a health care setting, but has since exploded to become more accessible.
Who knew then that in 18 months even more patients — under stay-at-home orders and eager to avoid being exposed to the coronavirus — would choose telehealth over traditional doctor visits? In addition to being a safer option during a pandemic by allowing patient and clinician to maintain a safe distance from each other, telehealth allows the patient to remain in the comfort of their home during recovery or monitoring. It also can provide better access to health care for patients, ease access to patient data and allow the clinician to deliver higher-quality care to more patients.
For this project, my team and I are focused on remote patient monitoring (RPM). RPM is a convenient and cost-effective service for patients who have health conditions that require regular clinician monitoring, and typically where in-person visitation is impractical. Clinicians use sensors connected to internet-based technologies to track the patient’s vital signs (e.g., blood pressure, heart rate, weight, glucose levels, etc.) while the patient remains in their home.
As the growth and popularity of telehealth increases, it is critical to evaluate the security and privacy risks. We are working closely with the NIST privacy team to ensure we capture a complete picture of the risks. Once identified, we implement security controls such as encryption to minimize the security and privacy risks to the patients and other participants.
We augmented our NCCoE team with private industry collaborators representing technology vendors, health care cybersecurity experts and health systems representatives. Our collaborators responded to a call in the Federal Register. Companies with relevant products and expertise were invited to participate in a consortium to build an example solution that improves the security and privacy for the wide range of devices and systems used to facilitate communication between the patient and the health care provider.
With our team finalized in early March, we were off to a great start.
That was short-lived, however, as everything soon changed due to the COVID-19 pandemic. We no longer had physical access to our lab, and gone were the days when we could jointly huddle over a laptop to collaboratively troubleshoot issues. Also gone were the impromptu discussions over coffee. Instead, we could only have online meetings. Accepting our new situation, we quickly pivoted to using a variety of collaboration tools to work with our industry team members to remotely install, configure and integrate their technologies to build an example solution. We are currently finalizing it and will test it to ensure it addresses the cybersecurity and privacy challenges.
Fortunately, this new reality hasn’t really slowed down our team’s work.
In assessing the RPM ecosystem, we identified three primary domains: the health delivery organization (HDO), the telehealth provider, and the patient home. Because each domain is managed and used by different people or organizations with different skill levels, the risks of accidental security misconfigurations and other threats may manifest differently. The patient, however, is the primary actor in the RPM scenario as they are the ones hooking themselves up to the various monitoring devices and using the systems that communicate with care providers.
The patient’s home domain includes the diagnostic monitoring devices, the home network and patient-owned devices such as smartphones, tablets, laptops and home computers. In our scenario, the RPM equipment is set up in the patient’s home and is paired with an accompanying software application downloaded on an HDO/telehealth provider-managed device. Patients may also be able to use the application to communicate with their health care provider via videoconferencing, email, text messaging, instant messaging or voice. Data may be transmitted across the patient’s home network and out onto the internet or through the cellular network. Those transmissions are relayed to a telehealth platform provider that in turn routes the communications to the HDO.
We are documenting our work in a NIST Practice Guide, which we’ll publish in mid-November. It will be open for public comment for 30 days. The document will include a practical solution for securing the telehealth RPM ecosystem using the technologies provided by our collaborators. While it’s important to note that we are not analyzing the vendors’ products for vulnerabilities, the publication will provide a risk assessment on a representative RPM ecosystem in a laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards including the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and give a detailed description of the practical steps needed to implement a secure solution based on standards and best practices. The document will also include a NIST Cybersecurity Framework mapping table, which maps the security characteristics of the collaborators’ products to the NIST Cybersecurity Framework to make it easier for users to apply to their environment.
When we started this project, telehealth was growing but had yet to achieve mainstream adoption. Now, amid a global pandemic and a rapid shift to telehealth use, this project has taken on more importance. One legacy of this pandemic will likely be the continued and increasing use of telehealth. The practical guidance from this NCCoE project will ensure that patients and HDOs will be better protected from cybersecurity and privacy risks going forward.
Comments and questions about this project can be sent to hit_nccoe [at] nist.gov.
Like many things, this looks good on paper. However, let's talk about nationwide use and who will foot the bill for everything needed when a person lives near or below the poverty level and/or those who do not use a computer, cell phone, or other "patient owned" devices. It's important to think about the entire population when devizing a new way of doing healthcare. A couple more questions arise, also.
Certain diagnoses cannot be determined without hands on palpating, listening, sense of smell, and good visual inspection. Am I correct to assume that these suspected illnesses will need to see a doctor
in person and this will shorten the length of time they wait to see their doctor?
Will the cost of "Doctor visit" be reduced through telehealth reduce the "appointment" charge when the cost of cleaning the room after seeing, and using office supplies, is zero for each telehealth appt.?
Telehealth is okay for a minor needs, but when there is pain, or physical manifestations of symptoms it will be too easy to make an incorrect diagnosis. For example, abdonimal pain . . . you cannot listen to bowel sounds, palpate the abdomen for the first indication of a hernia, edema, temperature, or perform a particular test for Rosving sign to test for Appendicitis. Is the mild chest pain angina, costochondritis (chest wall pain), mild heart attack, or a growth in the lung, or blood vessle problem?
This may be a good idea overall for non-urgent visits IF this will also lower the cost to patients and NOT used to just increase the profit margin of Insurance Corporations.
As DLKirkwood has stated this won't supplant physical visits to the doctor.
What it can do is take advantage of at home monitoring devices such as BPM, HRM etc. to achieve better patient outcomes.
We need to make sure that these are secure and reliable.
I'm attending counseling via zoom with Telehealth.
This discussion is perfectly on target. My only additions are:
Both patient & physician must be satisfied by the interaction, & if not, in-person visit scheduled.
Also underscoring concern for digitally illiteracy & poverty.
I believe this blog is right on target. As mentioned, patients as well as healthcare providers need to ensure that health information that is transmitted over the internet or cellular networks is protected. That said, my organization is currently developing a small compact, portable security product that is aimed at protecting an endpoint device such as a heart monitor, glucose meter, blood pressure device, etc. This device uses the power of Artificial Intelligence to identify, locate, authenticate, notify and protect user endpoint devices wherever the user may be, anywhere in the world.
The challenge will be educating the public and health officials of the capabilities of a product of this sort and gaining adoption.
Im reading up on new technology and virtual Dr visits. My concern is my ability to get out on the net is so limited it needs a booster shot. At 78 Im looking forward to home virtual visits if needed. My computer takes a long time to download photos etc. I hope this will change in the rural areas soon.
Help in WISCONSIN