Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Securing Telehealth Remote Patient Monitoring Ecosystem



Jennifer Cawthra, Nakia R. Grayson, Ronald Pulivarti, Bronwyn J. Hodges, Jason Kuruvilla, Kevin Littlefield, Julie Snyder, Sue Shuqiu Wang, Ryan Williams, Kangmin Zheng


Increasingly, healthcare delivery organizations (HDOs) are relying on telehealth and remote patient monitoring (RPM) capabilities to treat patients at home. RPM is convenient and cost-effective, and its adoption rate has increased. However, without adequate privacy and cybersecurity measures, unauthorized individuals may expose sensitive data or disrupt patient monitoring services. RPM solutions engage multiple actors as participants in patients' clinical care. These actors include HDOs, telehealth platform providers, and the patients themselves. Each participant uses, manages, and maintains different technology components within an interconnected ecosystem, and each is responsible for safeguarding their piece against unique threats and risks associated with RPM technologies. This practice guide assumes that the HDO engages with a telehealth platform provider that is a separate entity from the HDO and patient. The telehealth platform provider manages a distinct infrastructure, applications, and set of services. The telehealth platform provider coordinates with the HDO to provision, configure, and deploy the RPM components to the patient home and assures secure communication between the patient and clinician. The NCCoE analyzed risk factors regarding an RPM ecosystem by using risk assessment based on the NIST Risk Management Framework. The NCCoE also leveraged the NIST Cybersecurity Framework, NIST Privacy Framework, and other relevant standards to identify measures to safeguard the ecosystem. In collaboration with healthcare, technology, and telehealth partners, the NCCoE built an RPM ecosystem in a laboratory environment to explore methods to improve the cybersecurity of an RPM. Technology solutions alone may not be sufficient to maintain privacy and security controls on external environments. This practice guide notes the application of people, process, and technology as necessary to implement a holistic risk mitigation strategy. This practice guide's capabilities include helping organizations assure the confidentiality, integrity, and availability of an RPM solution, enhancing patient privacy, and limiting HDO risk when implementing an RPM solution.
Special Publication (NIST SP) - 1800-30
Report Number


access control, authentication, authorization, behavioral analytics, cloud storage, data privacy, data security, encryption, HDO, healthcare, healthcare delivery organization, remote patient monitoring, RPM, telehealth, zero trust


Cawthra, J. , Grayson, N. , Pulivarti, R. , Hodges, B. , Kuruvilla, J. , Littlefield, K. , Snyder, J. , Wang, S. , Williams, R. and Zheng, K. (2022), Securing Telehealth Remote Patient Monitoring Ecosystem, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed April 23, 2024)
Created February 22, 2022, Updated November 29, 2022