January 26, 2022

Volume XII, Number 26

Advertisement
Advertisement

January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis

Remote Patient Monitoring Platforms Get New Cybersecurity and Privacy Guidelines

New guidance is available for remote patient monitoring (RPM) companies on cybersecurity and privacy compliance. The National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), has released Securing Telehealth Remote Patient Monitoring Ecosystem. The practice guide offers healthcare organizations and RPM software developers an example architecture to implement cybersecurity and privacy controls and solutions to challenges faced in securing the RPM ecosystem. The guidance is currently in draft and NIST is accepting public comments through December 18, 2020.

RPM services continue to grow in popularity due to their convenience, cost-effective options for patients and providers, and continued expansion of RPM reimbursement by health plans, Medicare, and Medicaid. Historically, most RPM solutions were implemented in controlled and cyber-risk averse environments, such as hospitals or medical facilities. But with the advances of in cloud services, networking and wireless technologies, and biometric device capabilities, RPM solutions provide new ways for clinical teams to directly reach patients in their homes, sometimes in DTC virtual-only service models. Even if the RPM company is not subject to HIPAA, these new healthtech service models raise different cybersecurity and privacy risks. Responsible RPM software developers and tech-enabled service providers need to understand and account for cybersecurity when deploying their RPM offerings.

How Cybersecurity and Privacy Matters in RPM Services and Software

Implementing an RPM solution typically involves multiple parties, locations, and the deployment of biometric devices, which all contribute to increased cybersecurity and privacy risk exposure to the provider and patient. NCCoE built a testing environment that simulated an RPM solution provided by a clinical team to patients in the home. The simulated RPM solution was offered by a telehealth platform provider that incorporates cloud services and audio-video conferencing capabilities between the patient and clinical team, implemented using commercially available cybersecurity technologies. The patients received RPM devices that automatically accessed and transmitted biometric physiologic data and communications between the patient and the remote clinical team. NCCoE then performed a risk assessment based on the NIST SP 800-37 Revision 2, Risk Management Framework for Information System and Organizations, which constituted the basis for the draft guidelines.

Key Elements of the New Guidelines

The NCCoE guide offers a documented approach for RPM entrepreneurs and software developers to implement cybersecurity and privacy controls and policies. It maps sector-specific standards and best practices, such as the HIPAA Security Rule, that companies should address, including for example:

  • Identifying and implementing controls and policies which assist in the development of organizational awareness of risk.
     
  • Implementing appropriate safeguards to provide for end-to-end data security between patients and organizations.
     
  • Detecting anomalies and security events through appropriate security controls (i.e., a security incident event management tool) and performing security continuous monitoring.
     
  • Responding to and mitigating security events and vulnerabilities to contain the impact of cybersecurity incidents.
     
  • Recovering and resuming normal operations after a cybersecurity incident.

Ultimately, the NCCoE guidance provides a roadmap and best practices for RPM companies and providers to follow for cybersecurity and privacy measures. As with all technology solutions, an end-to-end risk assessment should be performed that takes into account the specific characteristics, settings, and variations an organization or operation presents. We will continue to monitor for any rule changes or guidance on cybersecurity and privacy issues in the telemedicine and digital health industry.

© 2022 Foley & Lardner LLPNational Law Review, Volume X, Number 344
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...

813-225-4129
Nathaniel Lacktman, Health Care Attorney, Foley and Lardner Law Firm
Partner

Nathaniel (Nate) Lacktman is a partner and health care lawyer with Foley & Lardner LLP, and a Certified Compliance & Ethics Professional (CCEP). His practice focuses on health care compliance, counseling, enforcement and litigation, as well as telemedicine and telehealth. Mr. Lacktman is a member of the firm’s Health Care Industry Team which was named “Law Firm of the Year — Health Care Law” for three of the past four years on the U.S. News – Best Lawyers® “Best Law Firms” list. 

813-225-4127
Advertisement
Advertisement
Advertisement