Center for Telehealth lends expertise to cybersecurity manual
Published on Monday, December 14, 2020
By: Ruth Cummins
When Martha O’Cain uses a Bluetooth connection to relay her vital signs remotely from her Canton home to her University of Mississippi Medical Center caregivers, she doesn’t worry about her private medical information getting into the wrong hands.
“It hasn’t been a concern with me,” said O’Cain, who is being treated by cardiologists Dr. Trey Clark and Dr. James Hamilton following a double heart bypass and a cardiac ablation to correct heart rhythm problems. “Years ago, somehow someone got my information and used my credit card. I haven’t had any problems with (remote patient monitoring).”
O’Cain is fortunate. The equipment she uses in the comfort of her home is “proprietary,” meaning the Medical Center has used its vast technology resources to protect it from those who might want to invade a patient’s privacy or tinker with their health information.
But not all telehealth users have that security. UMMC is one of 10 hospital organizations or vendors that have collaborated to build a structure to address growing security and privacy concerns associated with remote patient monitoring.
They’ve produced a draft plan to protect the "ecosystem" of infrastructure that is supposed to maintain the confidentiality, integrity and availability of telehealth patient data, as well as ensure the safety of patients. The plan is a publicly available guide for health systems and organizations to use to better safeguard security in RPM.
UMMC, one of only two Telehealth Centers of Excellence in the nation, was chosen to take part in the project because of its proven expertise, said Steve Waite, executive director of information security in the Medical Center’s Division of Information Systems.
Another factor was UMMC’s 2014 Diabetes Telehealth Network that connected diabetic patients in the Mississippi Delta with UMMC specialists via a remote connection. The first of its kind in the nation, it provided secure tablets to patients to help health care providers remotely manage the chronic conditions that come with the disease.
“They went to school on us and what we have in place,” Waite said. “The pandemic has elicited the need for us to do more and more remote patient monitoring and to protect not just the patient’s privacy, but their health.”
The work on the new RPM guide was done through the National Cybersecurity Center of Excellence (NCCoE), part of the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST). A draft of the NIST Cybersecurity Practice Guide is publicly downloadable on the NCCOE website. The public is encouraged to comment on the draft through Dec. 18.
“It’s great that they wanted to dive into a health care-specific project and explore a practical framework for security for remote patient monitoring,” said Julio Cespedes, director of telehealth innovation, design and implementation for UMMC’s Center for Telehealth. “It’s really important, as we become even more connected, that in the health care space we have practical solutions for how to monitor patients in their homes.
“It will be interesting to see how it drives how people think about security and security flaws in remote patient monitoring,” he said.
In addition to Cespedes and Waite, contributing their time and expertise from UMMC were Dr. Saurabh Chandra, chief telehealth officer; Dr. Richard Summers, associate vice chancellor for research; Dr. Alan Jones, assistant vice chancellor for clinical affairs; Dr. Donald Clark, assistant professor in the Division of Cardiovascular Diseases; and Kristy Simms, executive director of external affairs/Government Relations.
"This project is an example of how we really collaborate with the entire institution, and have for a long time," Cespedes said.
In the guide’s summary, its writers explained why the nation’s telehealth providers and vendors need guidance, especially during the care challenges wrought by COVID-19.
“Increasingly, health care delivery organizations are relying on telehealth and remote patient monitoring (RPM) capabilities to treat patients at home. RPM is convenient and cost-effective, and since the onset of the COVID-19 pandemic, its adoption rate has rapidly increased,” the guide reads.
“Without adequate privacy and cybersecurity measures, however, unauthorized individuals may expose sensitive data or disrupt patient monitoring services. In collaboration with industry partners, the National Cybersecurity Center of Excellence (NCCOE) built a laboratory environment to demonstrate how HDOs can implement cybersecurity and privacy controls to enhance telehealth RPM resiliency.”
UMMC has about 100 patients spread over 10 counties using remote patient monitoring, but that number is constantly rolling as patients are enrolled and discharged, said Tanya Tucker, a Center for Telehealth nurse manager.
Many are in rural areas with few or no specialists. Others may have transportation or health issues that keep them from regularly traveling to UMMC’s Jackson campus. For them, telehealth is the answer to making sure their chronic conditions are treated and closely monitored by their own physicians in addition to nurse practitioners at the Center for Telehealth.
When a remote telehealth patient uses Bluetooth-enabled devices – a blood pressure cuff, scales to weight themselves, a finger oximeter to gauge their blood oxygen saturation – it generates data on their health that is recorded electronically, often straight to their electronic medical record. Other patient-caregiver interactions are recorded, such as a provider asking a patient to shake their pill bottle so that the provider can tell by the sound whether they’re taking their medications.
Security pitfalls for remote patients whose devices are not proprietary could include viruses on their personal devices, and even hackers delving into their information in a way that it endangers their very health, Cespedes said. “You can imagine if thousands of patients with a chronic condition, whose blood pressure or glucose is being remotely monitored, and someone hacks their information. You could have wrong numbers produced, and it could lead to bad health outcomes for the patient.”
The draft guide is designed to advise both telehealth providers and vendors who supply their technology on information security. “It’s how to continue to put the patient at the center of their own health data, and to empower patients to be in control of their own information,’ Cespedes said. “Structurally, telehealth is set up so that people or interests with nefarious goals can’t access patients’ information and use it in a negative way.”
“Ultimately, this project was to get out in front of security and privacy issues so that whatever is delivered to the patient is not something that they have to concern themselves with or struggle with,” Waite said. “They need to know that delivery of telehealth will protect their privacy and deliver the kind of care they need.”