New NIST Guidance for Telehealth Data

When remote patient monitoring (RPM) and telehealth increased in response to the COVID-19 pandemic, the Office for Civil Rights (OCR) at the Department of Health and Human Services effectively loosened restrictions related to telehealth. In early 2021, the OCR issued a statement that it would “exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

This statement was made in response to a public health emergency, and many expect that enforcement is likely to begin to tighten when the OCR determines that the public health emergency has subsided.

A two-year project to address cybersecurity and privacy risks related to telehealth technology has culminated in the release of Special Publication (SP) 1800-30 by the National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST). This guidance, which includes rarely provided NIST how-to instructions, will be helpful to organizations in monitoring these risks and updating their systems to reflect changes made in response to the pandemic.

The goal of the project was to “demonstrate how healthcare delivery organizations can implement cybersecurity and privacy controls to enhance telehealth RPM resiliency.” Working with technology and health care private industry partners, researchers designed and implemented a reference architecture lab environment in as close to a real-world environment as possible.

To prepare, organizations can use the report as guidance in the following ways:

Review architectural and governance-related updates made to facilitate heavier reliance on remote work. Priority should be placed on:

• Verifying that services exposed to ease or increase access are only allowing the intended access, and that these services remain appropriately monitored, updated, and cannot be used to pivot to other IT systems;
• Scrutinizing links to third party systems; and
• Ensuring written agreements, such as a BAA, are in place to help protect information.

Review and apply SP 1800-30, leveraging how-to guidance that NIST has rarely provided. Use this guide to ensure that systems implemented to provide remote services are properly secured and validated.

The full SP 1800-30 release is nearly 400 pages, with How-To guidance comprising more than one-third of the document.

Key components of Volume B, the Approach, Architecture, and Security Characteristics section, include:

• Risk Assessments: NCCoE leveraged the NIST Risk Management Framework, combined with other risk frameworks, and provides sample threats and risks, as they related to confidentiality, integrity, and availability (CIA) for cybersecurity risk and predictability, manageability, and disassociability (PMD) for privacy risk.
• Framework Mappings: Understanding that organizations may already map to an applicable standard or framework, NIST has included a mapping of NIST CSF to NIST 800-53, NIST NICE (800-181), NIST Privacy Framework, IEC-TR80001-2-2, HIPAA Security Rule, and ISO 27001.
• Architecture: A description of the representative Healthcare Delivery Organizations (HDOs) lab environment, which has three main architectural components; 1) Patient home, 2) Telehealth platform providers (TPPs), and 3) HDO. NCCoE uses both text and diagrams to detail communication paths and data flows between these components, and includes a high-level summary of data security implemented.
• Functional Evaluations: This section describes a series of functional requirements, and test cases performed by NCCoE to identify if the lab environment performed as expected.

The last section, Volume C, includes screenshots and detailed walkthroughs addressing:

• Product installation guidance for the two example TPPs configured for use in the lab environment
• System requirements and installation and configuration steps for systems implemented to perform risk assessments, Identity and Access Management (IAM), and security and network monitoring.

As with most IT security and data privacy guidance, applying these concepts to health care data is complex and organizations may not have the in-house knowledge to fully benefit. To find out how Weaver’s advisory team can assist your organization’s adoption of best practices aligned with this guidance, contact us. We are here to help.

© 2022