Feds release final guidance on telehealth, RPM security

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence published its final guidance this week on securing telehealth and remote patient monitoring ecosystems.  

The guide is intended, according to NCCoE, to help identify risks associated with RPM architecture and ensure healthcare organizations are partnering with appropriate telehealth platform providers.  

“While [healthcare delivery organizations] do not have the ability to manage and deploy privacy and cybersecurity controls unilaterally, they retain the responsibility to ensure that appropriate controls and risk mitigation are applied,” wrote researchers.  


In order to develop the guidance and demonstrate how organizations can enhance resiliency, NCCoE collaborated with industry partners to build a laboratory environment – specifically, one where a patient is being monitored by an in-home device capturing biometric data.

Those partners included Accuhealth, Cisco, Inova, LogRhythm, MedCrypt, MedSec, Onclave Networks, Tenable. University of Mississippi Medical Center and Vivify Health.  

“While the NCCoE used a suite of commercial products to address this challenge, this guide does not endorse these particular products, nor does it guarantee compliance with any regulatory initiatives,” noted the experts.  

“Your organization’s information security experts should identify the products that will best integrate with your existing tools and Information Technology system infrastructure,” they continued.

The practice guide operated under the assumption that the delivery organization is using a separate telehealth platform provider that manages a distinct infrastructure, applications and a set of services.   

Using the NIST Risk Management Framework, the NIST Cybersecurity Framework, the NIST Privacy Framework and other relevant standards, the NCCoE analyzed risk factors in an RPM ecosystem and identified measures to safeguard it.  

It outlined several potential vulnerabilities, including fraudulent uses of health-related information, interruption or inaccuracy of patient diagnoses, disrupted processes and system disruption.  

“As organizations consider measures to disrupt threats and adverse actions made against the ecosystem, an opportunity exists where organizations examine threats to identify controls that mitigate adverse actions identified by threat modeling,” read the report.  

The guidance authors noted that, although they used cellular data-based biometric devices and addressed those using broadband communications, a future build may also implement an electronic health record system that would receive automated data from the telehealth platform provider.    

“The future build may include direct messaging from the RPM systems to the EHR,” they wrote.  


NIST has been offering tips around cybersecurity and telehealth deployments for years.

NIST IT Security Specialist Nakia Grayson, who co-authored the guidance, told Healthcare IT News Executive Editor Mike Miliard in April 2021 that the agency began the work in response to  an uptick in patient and provider interest in virtual care, particularly amidst the COVID-19 pandemic.  

“Without adequate privacy and cybersecurity measures, unauthorized users may expose a patient’s sensitive data or disrupt the patient monitoring system,” Grayson said in a HIMSSTV interview.    


“Technology solutions alone may not be sufficient to maintain privacy and security controls on external environments,” wrote NCCoE experts.  

“This practice guide notes the application of people, process and technology as necessary to implement a holistic risk mitigation strategy,” they continued.  

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.


Previous post Plug-and-Play Platform Technologies Enhance the Manufacturing Workflow
Next post John Deere opens Austin office focused on agriculture technology