Making Sure Virtual Doctor Visits Are Private and Secure
Jennifer Cawthra, Principal Investigator for Health Care Projects, National Cybersecurity Center of Excellence (NCCoE), National Institute of Standards and Technology (NIST)
“Telehealth” refers to a wide range of technologies to connect patients to health care services through videoconferencing, remote monitoring, electronic consultations and wireless communications. Just like you would expect your virtual conversation with your doctor to be private and secure, you would also want to be sure that all your other health information that is transmitted over the internet or cellular networks is also protected.
In October 2018, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) launched a project focusing on the cybersecurity and privacy challenges surrounding monitoring the health of patients remotely via telehealth. When we started the project, telehealth was for the most part only available to patients in rural areas or in a health care setting, but has since exploded to become more accessible.
Who knew then that in 18 months even more patients — under stay-at-home orders and eager to avoid being exposed to the coronavirus — would choose telehealth over traditional doctor visits? In addition to being a safer option during a pandemic by allowing patient and clinician to maintain a safe distance from each other, telehealth allows the patient to remain in the comfort of their home during recovery or monitoring. It also can provide better access to health care for patients, ease access to patient data and allow the clinician to deliver higher-quality care to more patients.
For this project, my team and I are focused on remote patient monitoring (RPM). RPM is a convenient and cost-effective service for patients who have health conditions that require regular clinician monitoring, and typically where in-person visitation is impractical. Clinicians use sensors connected to internet-based technologies to track the patient’s vital signs (e.g., blood pressure, heart rate, weight, glucose levels, etc.) while the patient remains in their home.
As the growth and popularity of telehealth increases, it is critical to evaluate the security and privacy risks. We are working closely with the NIST privacy team to ensure we capture a complete picture of the risks. Once identified, we implement security controls such as encryption to minimize the security and privacy risks to the patients and other participants.
We augmented our NCCoE team with private industry collaborators representing technology vendors, health care cybersecurity experts and health systems representatives. Our collaborators responded to a call in the Federal Register. Companies with relevant products and expertise were invited to participate in a consortium to build an example solution that improves the security and privacy for the wide range of devices and systems used to facilitate communication between the patient and the health care provider.
With our team finalized in early March, we were off to a great start.
That was short-lived, however, as everything soon changed due to the COVID-19 pandemic. We no longer had physical access to our lab, and gone were the days when we could jointly huddle over a laptop to collaboratively troubleshoot issues. Also gone were the impromptu discussions over coffee. Instead, we could only have online meetings. Accepting our new situation, we quickly pivoted to using a variety of collaboration tools to work with our industry team members to remotely install, configure and integrate their technologies to build an example solution. We are currently finalizing it and will test it to ensure it addresses the cybersecurity and privacy challenges.
Fortunately, this new reality hasn’t really slowed down our team’s work.
In assessing the RPM ecosystem, we identified three primary domains: the health delivery organization (HDO), the telehealth provider, and the patient home. Because each domain is managed and used by different people or organizations with different skill levels, the risks of accidental security misconfigurations and other threats may manifest differently. The patient, however, is the primary actor in the RPM scenario as they are the ones hooking themselves up to the various monitoring devices and using the systems that communicate with care providers.
The patient’s home domain includes the diagnostic monitoring devices, the home network and patient-owned devices such as smartphones, tablets, laptops and home computers. In our scenario, the RPM equipment is set up in the patient’s home and is paired with an accompanying software application downloaded on an HDO/telehealth provider-managed device. Patients may also be able to use the application to communicate with their health care provider via videoconferencing, email, text messaging, instant messaging or voice. Data may be transmitted across the patient’s home network and out onto the internet or through the cellular network. Those transmissions are relayed to a telehealth platform provider that in turn routes the communications to the HDO.
We are documenting our work in a NIST Practice Guide, which we’ll publish in mid-November. It will be open for public comment for 30 days. The document will include a practical solution for securing the telehealth RPM ecosystem using the technologies provided by our collaborators. While it’s important to note that we are not analyzing the vendors’ products for vulnerabilities, the publication will provide a risk assessment on a representative RPM ecosystem in a laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards including the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, and give a detailed description of the practical steps needed to implement a secure solution based on standards and best practices. The document will also include a NIST Cybersecurity Framework mapping table, which maps the security characteristics of the collaborators’ products to the NIST Cybersecurity Framework to make it easier for users to apply to their environment.
When we started this project, telehealth was growing but had yet to achieve mainstream adoption. Now, amid a global pandemic and a rapid shift to telehealth use, this project has taken on more importance. One legacy of this pandemic will likely be the continued and increasing use of telehealth. The practical guidance from this NCCoE project will ensure that patients and HDOs will be better protected from cybersecurity and privacy risks going forward.
Comments and questions about this project can be sent to hit_nccoe@nist.gov.
This post originally appeared on Taking Measure, the official blog of the National Institute of Standards and Technology (NIST) on October 21, 2020.
To make sure you never miss our blog posts or other news from NIST, sign up for our email alerts.
About the Author
Jennifer Cawthra is principal investigator for the health care projects at the National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST).
