To address the cybersecurity risks posed by remote patient monitoring and other telehealth tools, NIST is asking tech vendors to provide comment and help create a reference architecture.
NIST National Cybersecurity Center of Excellence released a request for comment on Friday asking for industry feedback on ways to support and secure telehealth remote patient monitoring within the healthcare sector.
The planned project is just the latest NIST effort designed to address the risks posed by telehealth technologies. In November 2018, NIST asked for industry feedback on challenges health delivery organizations face when securing RPM and other telehealth platforms.
Its efforts have received support from industry groups like the American Medical Informatics Association.
NIST’s current project is focused on soliciting responses from all relevant sources of security capabilities to enter into a Cooperative Research and Development Agreement to provide both the products and technical expertise to secure telehealth RPM platforms.
Patient monitoring systems have typically been deployed within the controlled environment of healthcare facilities. But RPM poses new security challenges, as the tech is deployed within the patient’s home through the use of capabilities, such as videoconferencing through third-party platforms, or the cloud, to treat numerous conditions.
To NIST, securing the RPM and telehealth infrastructure is paramount as these capabilities increase, to ensure patient safety and maintain the confidentiality, integrity, and availability of patient data.
NIST plans to leverage insight from technology vendors to develop an example solution to secure these platforms, while creating a reference architecture to address the privacy and security risks for healthcare delivery organizations that use telehealth services, such as RPM.
Project researchers will perform a risk assessment on a representative RPM ecosystem in a laboratory environment, along with applying the NIST Cybersecurity Framework and guidance for medical device standards in a partnership with industry and public partners.
NIST will also create a reference design and outline the necessary steps to implement a secure RPM platform based on best practices and industry standards. The comments and research will help draft an implementation and NIST practice guide that address challenges to securing RPM.
Interested vendors will need to specify the security component or capability it is offering for the program, such as internet-based communications, videoconference, secure text messaging, and patient monitoring devices that send telemetry data through a home monitoring device, among a host of others.
Further, vendors will also need to outline how its products address one or more challenges with identifying risk, protecting devices or data, detecting threats, responding to cybersecurity events, or recovering from a detected cybersecurity event.
All participants will need to commit to “access for all participants’ project teams to component interfaces and the organization’s experts necessary to make functional connections among security platform components.” And support the development and demonstrations outlined in the project description.
The RFI is the first step in the planned collaboration between NCCoE and technology companies designed to address the cybersecurity challenges and risks identified in the healthcare sector. Officials said the collaborative activities will begin once NCCoE has received enough letters of interest to address necessary issues.
Interested groups can submit letters of interest and comments to NIST through September 30. When the use case is completed, NIST will post notice and will no longer accept letters of interest.
Date: September 04, 2019