Remote Patient Monitoring is one of the hottest markets in healthcare. The problem with Frontier Technologies is that usually, by the time policies and practices are defined, the technology has already been deployed. This is certainly the case here. There is still time to define best practices and stop the healthcare breach nightmare that is impending. Secure policies involve numerous components, eg., a trained workforce, and an adherence to privacy and security practices.
The components of an E2E architecture for Remote Patient Monitoring (RPM) have been identified here.
In reviewing the applicable governing standards, industry publications and agency protocols that can be applied to “remote patient monitoring”, RPM, it’s important to understand that
medical devices are a subset of both MHealth (mobile health) and EHealth (electronic health or health informatics), where MHealth represents the subset practice of medicine and public
health supported by medical devices, and EHealth represents the larger discipline of healthcare practices supported by electronic processes and communications. Understanding
the hierarchy of these practices allows for a greater ability to identify applicable standards and opportunities for collaboration. Additionally, the scope of RPM, as a subset of telehealth,
is now expanded to the greater discipline of Cybermedicine, defined as the use of the Internet to deliver medical services, such as medical consultations and drug prescriptions. (More extensive descriptions of MHealh, EHealth & Cybermedicine can be found using Wikipedia)
E2E Architecture components for Remote Patient Monitoring
Device: devices may be self-contained or integrated via software applications on patient devices:
- Original equipment from manufacturer (OEM)/healthcare delivery organization (HDO)
- Hardware
- Wearables/Stand-alone Devices
- Patient BYOD
- Software (Telehealth Application)
- Operating system applications
- IOS XX.Xv
- Android X.Xv
- Windows based application
- Apple OS application
- Linux
- Operating system applications
- Software (Telehealth Application)
- Hardware
Environments: environments include all components of the telehealth platform
- HDO environment
- Patient’s environment
Methods of Connectivity: methods identify how the device could monitor and/or transmit data, apply updates and conduct triage/repair et al
- Bluetooth
- Cellular network
- Secured Wi-fi
- Ethernet
- Virtual Private Network (VPN)
Carrier:data is passed along a series of nodes from end to end
- Internet Service Providers
- Mobile Networks
- Non-ISM Radio Communications
- Medical Radio Communications (MedRadio)
- Medical Micropower Networks (MMNs)
- Medical Body Area Netwoks (MBANs)
- Wireless Medical Telemetry Service (WMTS)
Governance, Risk & Compliance: GRC identifies regulatory agencies (via standard, rule of law and collaborative necessity)
- Federal Communications Commission (FCC)
- Health and Human Services (HHS)
- HITECH Act
- HIPAA
- Centers for Medicare & Medicaid Services (CMS)
- HITECH Act
- NIST
- National Vulnerability Database
- Draft NISTIR 8196 Security Analysis of First Responder Mobile and Wearable Devices
- Federal Trade Commission (FTC)
- Food and Drug Administration (FDA)
- MITRE Corporation’s Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.
- Institute of Electrical and Electronics Engineers (IEEE)
- 11073 medical device standards
- 802 series standards
- Bluetooth Special Interest Group (SIG)
- International Organization for Standardization (ISO) IEC 80001/60601
- State and Federal privacy laws, including breach reporting protocols
- California Telehealth Advancement Act
- Department of Homeland Security (DHS)
- Partner & Complimentary Organizations
- HIMSS
- Private partnership Clearwater and CyberMDX: Blueprint for Medical Device Security
- Centers for Connected Health Policy
- National Consortium of Telehealth Resource Centers
- The Center for Telehealth and E-Health law
- Advancing Safety in Health Technology
- FirstNet
End to End service disruptions/restoration et al
- Cyberattacks
- Denial of service
- Man-in-the-middle
- Ransomware
- Device Tampering
- Connectivity failures
- Device failures
- User errors
- Emergency Protocols
Defining a Best Practice Risk Management approach:
AVOID
Based on current RPM deployment vulnerabilities, i.e. FITBIT, risk avoidance could determine that RPM technology should not be deployed.
ACCEPT
Since RPM has already been deployed to market, a risk analysis should be performed to identify best practices for self-contained vs patient BYOD to reduce risk to minimal acceptable levels.
TRANSFER
End users represent ongoing and uncontrollable exposure to extreme vulnerabilities. RPM practices can identify how risk can be transferred from the end user (patient) to the HDO. Utilizing Digital Twin processes in both self-contained devices and in software API’s would allow data validation and real time functionality to ensure best possible outcomes for the patient(s) and provider(s).
.