U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

NIST SP 1800-30 (2nd Public Draft)

Securing Telehealth Remote Patient Monitoring Ecosystem

Date Published: May 2021
Comments Due: June 7, 2021 (public comment period is CLOSED)
Email Questions to: hit_nccoe@nist.gov

Author(s)

Jennifer Cawthra (NIST), Nakia Grayson (NIST), Bronwyn Hodges (MITRE), Jason Kuruvilla (MITRE), Kevin Littlefield (MITRE), Julie Snyder (MITRE), Sue Wang (MITRE), Ryan Williams (MITRE), Kangmin Zheng (MITRE)

Announcement

Increasingly, healthcare delivery organizations (HDOs) incorporate telehealth and remote patient monitoring (RPM) as part of a patient’s care regimen. RPM systems may offer convenience and may be cost effective for patients and HDOs, which promotes increased adoption rates. Without adequate privacy and cybersecurity measures, however, unauthorized individuals may expose sensitive data or disrupt patient monitoring services.

The NCCoE developed a reference architecture that demonstrates how HDOs may use standards-based approaches and commercially available cybersecurity technologies to implement privacy and cybersecurity controls, thereby enhancing the resiliency of the telehealth RPM ecosystem.

After adjudicating all the comments from the first draft, notable adjustments were made to the RPM Practice Guide, including:

  • Adjusted the security and privacy control mapping in accordance with NIST SP 800 53 Revision 5.
  • Enhanced cybersecurity capabilities in the Identity Management and Data Security sections.
  • Updated the final architecture to include secure broadband communication between the patient's home and the telehealth platform provider.
  • Included guidance from NIST’s Cybersecurity for the Internet of Things program on device cybersecurity capabilities and nontechnical supporting capabilities that telehealth platform providers should be aware of in their biometric device acquisition processes.

Abstract

Keywords

access control; authentication; authorization; behavioral analytics; cloud storage; data privacy; data security; encryption; HDO; healthcare; healthcare delivery organization; remote patient monitoring; RPM; telehealth; zero trust
Control Families

Access Control; Configuration Management; Identification and Authentication; Physical and Environmental Protection; Program Management; Risk Assessment; System and Communications Protection

Documentation

Publication:
Second Draft SP 1800-30

Supplemental Material:
Project homepage

Document History:
11/16/20: SP 1800-30 (Draft)
05/06/21: SP 1800-30 (Draft)
02/22/22: SP 1800-30 (Final)