NIST Wants Insight on Combatting Telehealth Cybersecurity Risks


The agency aims to ensure remote monitoring setups are secure. 

The National Institute of Standards and Technology wants to hear from vendors who can deliver technical expertise and products that can help secure health organizations’ telehealth capabilities. 

According to a notice set to be published in the Federal Register Thursday, the agency wants vendors to provide insight and demonstrations to support the National Cybersecurity Center of Excellence’s health care sector-specific use case, “Securing Telehealth Remote Patient Monitoring Ecosystem.” 

“This notice is the initial step for the NCCoE in collaborating with technology companies to address cybersecurity challenges identified under the health care sector program," officials wrote. 

An element of NIST, the NCCoE is a public-private collaboration that brings together industry, government and academia experts to develop interoperable cybersecurity solutions to complex real-world problems. For its health sector use case, insiders aim to create a reference architecture for patients who have remote patient monitoring equipment deployed outside of health care facilities. Monitoring equipment often features video-teleconferencing capabilities from third-party platform providers and leverage cloud and internet-connected technologies to keep tabs on patients who recently underwent operations or are battling chronic illnesses. 

NIST aims to ensure their infrastructure prioritizes patient safety and protects sensitive patient data.

“The goal of this project is to provide a practical solution for securing the telehealth RPM ecosystem,” officials said on its landing page. “This project will result in a publicly available [NIST] Cybersecurity Practice Guide, a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses this challenge.”

For the solicitation, NIST wants “sources of relevant security capabilities” to enter into a cooperative research and development agreement to inform them in creating an architecture that will act as guidance for securing the RPM ecosystem across patient homes and medical facilities, as well as an example solution that uses commercially-available and open-source cybersecurity products. 

Interested vendors are asked to request a letter of interest template from NIST, which will be provided on a first-come, first-served basis and vendors are expected to complete and return to the agency. Participants must clarify the security platform components or capabilities it can offer. The specific types of components include: components for RPM technologies such as internet-based communications or home monitoring devices; components for remote/patient home environments such as modems or personal firewalls; and components for health care delivery organization environments including network access control capabilities or governance, risk and compliance tools. 

Following submissions, the agency will select participants with which it will enter a consortium cooperative research and development agreement. NIST plans to post a notice online once the use case is completed and will also announce the dates it plans to hold a demonstration of the Securing Telehealth Remote Patient Monitoring Ecosystem capability. 

“The expected outcome of the demonstration is to improve telehealth RPM cybersecurity across an entire health care sector enterprise,” officials wrote. “Participating organizations will gain from the knowledge that their products are interoperable with other participants’ offerings.”