As the COVID-19 pandemic has continued to push patients away from in-person care, many health systems have ramped up their remote patient monitoring ecosystems.
But with that increase in endpoints comes an increase in security risks.
“From a security perspective, we always model a personal home network as a hostile network,” said Stephanie Domas, executive vice president of the MedSec cybersecurity service. “I have to build it that way because I have no control over that network.”
Teaching an organization’s staff members not to click on suspicious links doesn’t help, she said, when a medical device is connecting to an individual’s network outside the system.
“Are you going to make your patient take phishing training?” Domas said with a laugh.
MedSec was one of several companies to contribute to a 300-page guide from the National Cybersecurity Center of Excellence and the National Institute for Standards and Technology about securing remote patient monitoring ecosystems.
The report – released this past week in a draft format for comment – demonstrates how healthcare delivery organizations can best implement cybersecurity and privacy controls around telehealth care, particularly RPM.
“RPM is convenient, cost-effective, and growing, but it comes with security and privacy risks,” read the report. “Without privacy or cybersecurity controls in place within the RPM ecosystem, patient data and the ability to communicate with the care providers may be compromised.”
Domas notes that one misconception she often encounters is the idea that patient monitoring devices are below hackers’ notice. After all, she says people think, what good would having access to a foot-temperature monitor – used for patients with diabetes – do for someone trying to leverage that information for money?
There’s an assumption that “malice is needed for an issue to occur,” said Domas.
“A lot of threat modeling revolves around deliberate misuse,” she continued. “It’s rare that I see incorporation of accidental cybersecurity. On the defensive side, I think there’s that feeling of, ‘no one’s gonna target my patient thermometers.'”
That doesn’t mean protecting medical devices from security breaches isn’t important. Dismissing the potential for risk “gets in the way of cybersecurity efforts” and “bleeds into the cybersecurity strategy for protecting that device,” she said.
Rather than thinking of an attack like a sophisticated narrow target, she says, it’s frequently a “crime of opportunity, spraying everywhere.”
Domas said she suspects that irregularly performing devices may sometimes be a result of malware or other security issues, but that “the forensic analysis doesn’t happen to that level of detail.”
Because telehealth platform providers are often the middle ground, so to speak, between RPM ecosystems and the health organization, it is important for them to assure security between the patient and health provider – and for health systems to determine their privacy and security control adequacy.
“Telehealth platform providers apply risk management approaches that are appropriate for their business model,” read the NCCoE guide. “While telehealth platform providers may manage risk by using different tools and techniques from the [healthcare delivery organization], these providers should address the risk concerns for the HDO.”
For the report, the NCCoE built a distributed RPM solution that implemented controls safeguarding the health organization’s environment.
“HDOs may find that deploying privacy and security tools to the patient home involve challenges and therefore, an HDO may collaborate with the telehealth platform provider to provide adequate education and awareness training to patients,” according to the report.
“Training may address appropriate use of the equipment that is sent to the patient home and awareness that patient data are involved and that the patient needs to assure that data are shared only with authorized individuals.”
Domas noted – as did the report – that every organization is different. However, there are a number of consistent practices that can be put into use across many systems.
“Every hospital or telemedicine provider has a slightly unique threat profile,” said Domas. “What I like about the guidance document is yes, there [are] some unique things, but there’s a tremendous amount of overlap.”
Another factor Domas emphasized was the idea that medical devices are not traditional endpoints.
When a laptop is compromised, for example, a typical protocol would be to take it offline and lock it down. But the same practice might not be feasible for a malfunctioning medical device.
What seems to work well, she said, is having a separate workflow for medical devices, with medical-device cybersecurity having its own governance structure within a hospital.
“You need a working group that has representatives from IT security teams and representatives from clinical engineering teams,” she said. “You have to have that mix to build processes and oversee them.”
“You will find that hospitals will buy a device that represents an uncomfortably high risk to their network” because of the patient advantage, she said, “but you have to have those processes and have those stakeholders present to be able to make that decision.”