Identifying and Implementing Appropriate Security Controls in Your Telehealth Architecture
The recently passed Coronavirus Aid, Relief and Economic Security (CARES) Act provides a $300 million boost in funding for Federal Communications Commission (FCC) led Telehealth and Telemedicine Services programs. FCC Chairman Ajit Pai announced on March 30 that he is proposing $200 million of CARES Act funding go to a new COVID-19 Telehealth Program. This new program will offer selected healthcare providers full funding to purchase “telecommunications services, information services and devices to support telehealth services.” Chairman Pai also announced that an additional $100 million will be allocated to the previously proposed Connected Care Pilot Program. This program will cover 85% of eligible providers qualifying costs for the purchase of the broadband services, network equipment, and information services necessary to provide connected care services primarily to low-income Americans and veterans.
Organizations receiving funding from either of these programs and rolling out telehealth services need to be careful to consider appropriate security controls in their planning. Failure to do so, will place these investments, their patients and their organizations at unnecessary risk.
This latest investment further funds the many efforts that the FCC has underway in support of telehealth. These efforts include the Rural Health Care Program, the aforementioned Connected Care Pilot Program, and the Connect2Health Task Force. Each of these programs individually and the programs as a whole are intended to provide and facilitate access to medical services for all Americans and particularly those in underserved rural areas. To that end, Chairman Pai had earlier in March announced the immediate allocation of $42 million in unused funds to support telehealth for patients of rural hospitals and clinics through the Rural Health Care Program.
Telehealth and telemedicine solutions can vary quite a bit from one organization to another in their capabilities and architectures. While reputable telehealth vendors have included appropriate security controls within their products out of the box, these controls typically must be configured and implemented appropriately in order to be effective. Interfaces with existing systems and infrastructure must be understood so as not to introduce new vulnerabilities into an organization’s environment.
In addition, unlike a traditional setting, the telehealth architecture may include remote patient monitoring systems (RPMS) deployed in a patient’s home. RPMS devices typically reside on the patient’s private home network along with many other non-healthcare devices including the typical computing devices like desktops, laptops, phones and tablets as well as many new Internet of Things (IOT) devices like refrigerators, personal digital assistants, baby monitors and home security systems. Often these home networks and devices are not well defended, potentially providing an easy entry point for nefarious actors not just to the home network itself but now to the healthcare provider’s network as well.
Healthcare organizations making investments in telehealth should be systematic and diligent in identifying, implementing and testing security controls appropriate to their telehealth environment. This work is not just best practice in information security but also often required by the Health Insurance Portability and Accountability Act (HIPAA). Following are six actions that organizations should take now to protect their telehealth investments:
- First, understand the components that will make up your telehealth architecture/ecosystem. For a good overview of the components that may come into play, reference the recent Clearwater blog authored by my colleague George Jackson Security Considerations for Deploying Telehealth and Remote Patient Monitoring Systems
- Once these components are identified, baseline security controls should be identified and implemented.
- Risk analysis of the solution is then performed to assure that the controls are sufficient to reduce the risk to patients and provider to an acceptable level.
- Based on the results of the risk analysis, additional controls should be identified and implemented, as necessary.
- Once implemented, it is time to test the controls to make sure that they are implemented correctly and operating as expected. Ideally, this occurs before the solution is authorized to operate.
- Once in operation, the system should be monitored to make sure that the controls continue to be sufficient and functional.
There is a cost associated with security. Unfortunately, it is not uncommon for organizations to either completely overlook security costs during planning or, when considered, squeeze the security budget in an effort to reduce overall project costs. It is also not uncommon to see project teams avoid engaging with the security team at all in an effort to speed up deployment. None of these scenarios is advisable. Implementing security after the fact is inevitably more expensive and the cost of an otherwise avoidable breach can be devastating.
Organizations looking for assistance in understanding how to incorporate appropriate information security into their telehealth and telemedicine investments can speak to a Clearwater expert today by contacting us at firstname.lastname@example.org.
For more information on the FCC’s Keep Americans
Connected Pledge, visit: https://www.fcc.gov/keep-americans-connected.
For updates on the FCC’s wide range of actions during the Coronavirus pandemic, visit:
- Understanding the Exceptions to Information Blocking - September 2, 2020
- Interpreting the Move Toward Interoperability - August 3, 2020
- Identifying and Implementing Appropriate Security Controls in Your Telehealth Architecture - April 1, 2020