Quality and Safety

The American Hospital Association raised concerns that health systems could be targeted directly or experience collateral damage.

Leaders from the U.S. Department of Health and Human Services, Intermountain and HIMSS discuss the top threats to information security – and describe how this key public-private partnership can enable more collaborative and consistent risk mitigation.

The National Institute of Standards and Technology's National Cybersecurity Center of Excellence published its final guidance this week on securing telehealth and remote patient monitoring ecosystems.   The guide is intended, according to NCCoE, to help identify risks associated with RPM architecture and ensure healthcare organizations are partnering with appropriate telehealth platform providers.   "While [healthcare delivery organizations] do not have the ability to manage and deploy privacy and cybersecurity controls unilaterally, they retain the responsibility to ensure that appropriate controls and risk mitigation are applied," wrote researchers.   WHY IT MATTERS   In order to develop the guidance and demonstrate how organizations can enhance resiliency, NCCoE collaborated with industry partners to build a laboratory environment – specifically, one where a patient is being monitored by an in-home device capturing biometric data. Those partners included Accuhealth, Cisco, Inova, LogRhythm, MedCrypt, MedSec, Onclave Networks, Tenable. University of Mississippi Medical Center and Vivify Health.   "While the NCCoE used a suite of commercial products to address this challenge, this guide does not endorse these particular products, nor does it guarantee compliance with any regulatory initiatives," noted the experts.   "Your organization’s information security experts should identify the products that will best integrate with your existing tools and Information Technology system infrastructure," they continued. The practice guide operated under the assumption that the delivery organization is using a separate telehealth platform provider that manages a distinct infrastructure, applications and a set of services.    Using the NIST Risk Management Framework, the NIST Cybersecurity Framework, the NIST Privacy Framework and other relevant standards, the NCCoE analyzed risk factors in an RPM ecosystem and identified measures to safeguard it.   It outlined several potential vulnerabilities, including fraudulent uses of health-related information, interruption or inaccuracy of patient diagnoses, disrupted processes and system disruption.   "As organizations consider measures to disrupt threats and adverse actions made against the ecosystem, an opportunity exists where organizations examine threats to identify controls that mitigate adverse actions identified by threat modeling," read the report.   The guidance authors noted that, although they used cellular data-based biometric devices and addressed those using broadband communications, a future build may also implement an electronic health record system that would receive automated data from the telehealth platform provider.     "The future build may include direct messaging from the RPM systems to the EHR," they wrote.   THE LARGER TREND   NIST has been offering tips around cybersecurity and telehealth deployments for years. NIST IT Security Specialist Nakia Grayson, who co-authored the guidance, told Healthcare IT News Executive Editor Mike Miliard in April 2021 that the agency began the work in response to  an uptick in patient and provider interest in virtual care, particularly amidst the COVID-19 pandemic.   "Without adequate privacy and cybersecurity measures, unauthorized users may expose a patient's sensitive data or disrupt the patient monitoring system," Grayson said in a HIMSSTV interview.     ON THE RECORD   "Technology solutions alone may not be sufficient to maintain privacy and security controls on external environments," wrote NCCoE experts.   "This practice guide notes the application of people, process and technology as necessary to implement a holistic risk mitigation strategy," they continued.   Kat Jercich is senior editor of Healthcare IT News. Twitter: @kjercich Email: kjercich@himss.org Healthcare IT News is a HIMSS Media publication.

The CMIO at NYU Langone Health previews his HIMSS22 session, where he'll explain how the health system's digital strategy has been fine-tuned to meet the needs of its care providers and patients.

This week's top stories include the Mayo Clinic ceasing the scheduling of appointments for patients in most Medicare Advantage plans, and an Oklahoma City hospital's response to COVID-19-related social media posts that accused providers of murder.

Mercy Hospital Oklahoma City filed a motion for a temporary restraining order after COVID-19-related social media posts accused providers of murder.

The Iowa medical center streamlined clinical collaboration, saved money on PPE, and improved both patient and provider experience.

The U.S. Department of Health and Human Services' cybersecurity arm said this week that the operation has not claimed a victim since last October.

Clay Ritchey, an expert in patient matching technology, explains how fine-tuned patient ID strategies boost outcomes, tame costs, help SDOH management – and improve COVID-19 testing and vaccination efforts.

Meanwhile, the Cybersecurity and Infrastructure Security Agency says "every organization in the United States" is at risk from cyber threats.