Remote Patient Monitoring Platforms Get New Cybersecurity and Privacy Guidelines

09 December 2020 Blog
Author(s): Aaron T. Maguregui Nathaniel M. Lacktman
Published To: Health Care Law Today Innovative Technology Insights

New guidance is available for remote patient monitoring (RPM) companies on cybersecurity and privacy compliance. The National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), has released Securing Telehealth Remote Patient Monitoring Ecosystem. The practice guide offers healthcare organizations and RPM software developers an example architecture to implement cybersecurity and privacy controls and solutions to challenges faced in securing the RPM ecosystem. The guidance is currently in draft and NIST is accepting public comments through December 18, 2020.

RPM services continue to grow in popularity due to their convenience, cost-effective options for patients and providers, and continued expansion of RPM reimbursement by health plans, Medicare, and Medicaid. Historically, most RPM solutions were implemented in controlled and cyber-risk averse environments, such as hospitals or medical facilities. But with the advances of in cloud services, networking and wireless technologies, and biometric device capabilities, RPM solutions provide new ways for clinical teams to directly reach patients in their homes, sometimes in DTC virtual-only service models. Even if the RPM company is not subject to HIPAA, these new healthtech service models raise different cybersecurity and privacy risks. Responsible RPM software developers and tech-enabled service providers need to understand and account for cybersecurity when deploying their RPM offerings.

How Cybersecurity and Privacy Matters in RPM Services and Software

Implementing an RPM solution typically involves multiple parties, locations, and the deployment of biometric devices, which all contribute to increased cybersecurity and privacy risk exposure to the provider and patient. NCCoE built a testing environment that simulated an RPM solution provided by a clinical team to patients in the home. The simulated RPM solution was offered by a telehealth platform provider that incorporates cloud services and audio-video conferencing capabilities between the patient and clinical team, implemented using commercially available cybersecurity technologies. The patients received RPM devices that automatically accessed and transmitted biometric physiologic data and communications between the patient and the remote clinical team. NCCoE then performed a risk assessment based on the NIST SP 800-37 Revision 2, Risk Management Framework for Information System and Organizations, which constituted the basis for the draft guidelines.

Key Elements of the New Guidelines

The NCCoE guide offers a documented approach for RPM entrepreneurs and software developers to implement cybersecurity and privacy controls and policies. It maps sector-specific standards and best practices, such as the HIPAA Security Rule, that companies should address, including for example:

  • Identifying and implementing controls and policies which assist in the development of organizational awareness of risk.

  • Implementing appropriate safeguards to provide for end-to-end data security between patients and organizations.

  • Detecting anomalies and security events through appropriate security controls (i.e., a security incident event management tool) and performing security continuous monitoring.

  • Responding to and mitigating security events and vulnerabilities to contain the impact of cybersecurity incidents.

  • Recovering and resuming normal operations after a cybersecurity incident.

Ultimately, the NCCoE guidance provides a roadmap and best practices for RPM companies and providers to follow for cybersecurity and privacy measures. As with all technology solutions, an end-to-end risk assessment should be performed that takes into account the specific characteristics, settings, and variations an organization or operation presents. We will continue to monitor for any rule changes or guidance on cybersecurity and privacy issues in the telemedicine and digital health industry.

For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, including the team, publications, and representative experience, visit Foley's Telemedicine & Digital Health Industry Team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.