Securing Remote Patient Health Care
As of March 25, 2020 the largest economy of the world is facing an unprecedented medical crisis. An unknown agent has infiltrated the general American population making people sick and putting the US economy in hiatus. Part of the consequences of this biomedical situation is that hospitals, healthcare delivery organizations, medical professionals and administrators are being overwhelmed with demands of testing, treatment and care of those stricken and sick. Doctors and nurses around the world are treating large numbers of patients flooding the hospital wards for many illnesses including the “corunavirus” spreading globally. Given the close proximity with infected patients and long-working hours with extended exposure to the sick, doctors and nurses are often just at risk as the vulnerable. Unfortunately medical professionals working in the front lines have been succumbing to the infection at an alarming rate. Patients who are visiting healthcare delivery organizations for other illness also risk infection.
As in all areas of life in the 21st century, technology can be deployed to help solve the challenging problems in our lifetimes. Technology may be part of our problems, but it can also be part of the solution if we as society can have the wisdom to use technology for the benefit of us all.
If supercomputers operating at 330 petaflops can be deployed to help medical researchers find ways to fight the cornavirus, then remote working technology can also be tapped to help medical professionals deliver quality healthcare in an online remote environment that is safe for both the patient and the healthcare provider in a manner that may alleviate the growing strain on our limited hospital resources. However, if we use online technology to provide remote healthcare, then we become vulnerable to various cybersecurity risks that may compromise patient privacy and healthcare quality among other abuses.
One of my favorite regulatory agency remains unknown to most lawyers. Sure, most people have heard of agencies like the FDA and SEC. But there is one relatively obscure federal agency whose primary goal is to “enhance economic security and improve our quality of life.” It’s called the National Institute of Standards and Technology (“NIST”) formed in 1901 as a non-regulatory federal agency within the US Department of Commerce. NIST is responsible for setting standards and measurements that have made numerous products and services which we take for granted possible like smart electric power grids and electronic health records to atomic clocks, advanced nanomaterials, and computer chips.
NIST has a department called the National Cybersecurity Center of Excellence (“NCCoE”), which works with industry organizations, government agencies, and academic institutions to solve some of the most pressing cybersecurity issues.
In May 2019, the NCCoE launched a working group consisting of 10 private companies to help create standards and best practices that the world can apply to help secure the security & privacy of remote patient monitoring and healthcare done via videoconferencing or other online means. The NCCoE recognizes that more and more healthcare delivery organizations are implementing remote means of diagnosing, monitoring and even treating patients in a virtual environment in which the patient remains at home. Widespread use of such remote tele-health technology suffers a major vulnerability plaguing the online business world: computer viruses and other cyberattacks. While doctors are fighting real-world viruses, NIST is trying to fight cyber-world viruses by setting standards & best practices to secure the remote patient care online ecosystem.
The working group will perform a risk assessment on a representative remote patient monitoring ecosystem and apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners. The working group will produce a freely available NIST Cybersecurity Practice Guide which I will discuss when it issues. Meanwhile please see the working group’s mandate here.