Getty Images/iStockphoto
Managing Telehealth, Remote Patient Monitoring Security Concerns
Industry experts weigh in on how the healthcare sector can manage telehealth and remote patient monitoring security concerns.
As adoption increases, healthcare organizations, vendors, and providers will continually be tasked with managing telehealth and remote patient monitoring (RPM) security concerns. Although these technologies existed before, the pandemic prompted the need for safe and secure telehealth and RPM solutions that could be deployed on a larger scale.
But that rapid drive toward telehealth naturally comes with security risks. While they may not outweigh the tremendous benefits that telehealth offers to both patients and providers, security concerns must be considered carefully.
The Importance of Telehealth, RPM in Healthcare Today
There is no single definition for telehealth, according to the Center for Connected Health Policy. For the most part, telehealth refers to a collection of technology-driven methods and applications used to enhance care. Live video, mobile health, and RPM are all subsets of telehealth.
Remote patient monitoring, also known as remote patient management, refers to technologies that collect a wide array of health data, from vital signs, blood pressure, and heart rate. Glucose monitors and pulse oximeters used by patients at home are examples of RPM devices.
Once collected, the data is wirelessly transmitted to a provider in a different location to facilitate better care, the Food and Drug Administration’s website states.
“COVID has really accelerated the adoption of remote patient management,” Milan Shah, CTO of Biofourmis, said in an interview with HealthITSecurity.
“Rather than admitting the patient into the hospital, you send them home with enough technology so that you can deliver even better care to the patient while they're at home than you might have been able to if the patient was admitted to the hospital.”
As hospital beds became scarce and people were confined to their homes at the beginning of the pandemic, telehealth went from a convenience to an asset for most healthcare organizations, and will likely continue to evolve in the coming years.
Telehealth Security Concerns
“If you're in a hospital, all the technology that is used to monitor you and take care of you is all within the confines of the hospital's firewall. It's a tightly controlled technology IT environment, and all the equipment inside can be very tightly secured,” Shah explained.
“The minute you take some part of that technology and send it home with the patient, suddenly you have to open up holes in your defense system so that the technology from the home can send data to the central systems where the clinicians can actually provide the care.”
Because data is being transmitted back and forth, and network security often cannot be guaranteed, cybercriminals may be able to attack healthcare organizations via the home or hospital environment. The increasing number of access points expands the surface and scope for cyberattacks and provides an unsuspecting entry point for hackers.
A recent survey conducted by Arlington Research and commissioned by Kaspersky found that over 80 percent of surveyed healthcare providers globally harbor concerns about data security and privacy.
More than half of respondents reported experiencing cases where patients refused to participate in telehealth services because they did not trust that the technology would protect their privacy and security.
In addition, 70 percent of respondents said that their practice used outdated legacy operating systems, exposing them to security vulnerabilities. Despite these concerns, respondents largely agreed that telehealth would add the most value to the healthcare sector in the next five years compared to any other technology.
Matthias Wollnik, product marketing manager of security at Jamf, noted that the rapid implementation of telehealth services by many healthcare organizations at the onset of the pandemic also prompted security risks.
“When we all started suddenly having to deal with telehealth as the norm, instead of as the exception, there were a lot of people who were scrambling and trying to figure out how to make it work,” Wollnik suggested in an interview.
“Not everybody had the ability to vet tools to make sure things worked correctly. They used the tools that they could get their hands on.”
Now, telehealth is an essential part of many healthcare organizations. To some extent, tackling these security risks is a shared responsibility between all parties involved in telehealth deployment and use.
Who is Responsible for Telehealth and RPM Security?
Although basic cyber hygiene practices should be adopted by patients and providers alike, security responsibilities largely fall on the vendor, Shah asserted.
“It is not reasonable or fair to burden a sick patient with technology concerns. The responsibility is absolutely not on the patient at all,” Shah insisted.
To some degree, providers are responsible for deploying the solution in a secure manner. But even then, doctors and nurses should be able to focus on caring for sick patients rather than worrying about telehealth security.
“That leaves the vendor of the overall solution,” Shah stated.
“The vendor needs to produce a solution that just works and is completely secure out of the box. Since this is not a general-purpose system, it is possible to create a completely airtight system. You have the luxury of constraining the technology to exactly what it's designed for.”
Shah stressed that vendors have an obligation to put controls in place so that patches and remediations can be rolled out remotely to all devices as soon as possible.
In an ideal situation, patients and providers would not have to worry about healthcare cybersecurity concerns. However, some argue that it is crucial to create a culture of cybersecurity and ensure that every person who has access to a healthcare organization’s network is aware of cyber risks. That includes providers and to a lesser extent, patients.
Ultimately, vendors hold a great deal of responsibility in terms of patching and remediating devices and services, but each party should have a basic grasp on proper cyber hygiene.
Mitigating Risk and Managing Concerns
“Healthcare organizations should always make sure that the tools they use to communicate are as protected as they can be, even when on an un-trusted device,” Wollnik suggested.
Maintaining endpoint security and BYOD policies across the organization’s network is crucial to overall cybersecurity and telehealth security. Identity management and zero trust tactics can also contribute to a comprehensive cybersecurity program.
In addition to implementing key technical safeguards, Wollnik recommended that healthcare organizations evaluate telehealth vendors carefully and have frequent discussions about data privacy and security.
“When evaluating a vendor, one of the primary questions becomes data handling,” Wollnik continued.
Healthcare organizations should ensure that they know how third-party vendors are interacting with and storing their data. Those conversations will naturally come up as organizations go through the process of creating and signing a business associate agreement, (BAA) which requires business associates handling protected health information (PHI) to adhere to HIPAA regulations.
“Vendors need to recognize that yes, the customer is the healthcare provider, but it is patients whose data they're actually holding,” Wollnik emphasized.
“And they are the ultimate beneficiaries and potential victims if anything goes sideways.”
Regular patching by vendors, technical safeguard implementation by healthcare organizations, and proper cyber hygiene by providers can ensure that telehealth and RPM technologies are secure.