Nov 19, 2018 — The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of. Standards and Technology (NIST),
26 pages

71 KB – 26 Pages

PAGE – 1 ============
Cybersecurity for the Healthcare Sector Andrea Arbelaez National Cybersecurity Center of Excellence National Institute of Standards and Technology Ronnie Daldos Kevin Littlefield Sue Wang David Weitzel The MITRE Corporation DRAFT November 2018 PROJECT DESCRIPTION

PAGE – 2 ============
DRAFT Project D escription: S ecuring Telehealth Remote Patient Monitoring Ecosystem 2 The National Cybersecurity Center of Excellence (NCCoE) , a part of the National Institute of Standards and Technology (NIST) , is a collaborative hub where industry organizations, pressing cybersecurity ch allenges. Through this collaboration, the NCCoE develops modular, easily adaptable example cybersecurity solutions demonstrating how to apply standards and best practices using commercially available technology. To learn more about the NCCoE, visit . To learn more about NIST, visit . This document describes a particular problem that is relevant across the healthcare sector. NCCoE cybers ecurity experts will address this challenge through collaboration with members of the healthcare sector and vendors of cybersecurity solutions. The resulting reference design will detail an approach that can be used by healthcare delivery organizations (HD Os) . A BSTRACT HDO s are leveraging a combination of telehealth capabilities , such as remote patient monitoring (RPM) and videoconferencing , to treat patients in their homes . These modalities are used to treat numerous conditions, such as patients battling chronic illness or requiring post – operative monitoring. As the use of these capabilities continues to grow, it is important to ensure that the infrastructure supporting the m can maintain the confidentiality, integrity , and availability of patient data, and to ensur e the safety of patient s . The goal of this project is to provide a practical solution for securing the telehealth RPM ecosystem. The project team will perform a ri sk assessment on a representative RPM ecosystem in the laboratory environment, apply the NIST Cybersecurity Framework and guidance based on medical device standards, and collaborate with industry and public partners. The project team will also create a ref erence design and a detailed description of the practical step s needed to implement a secure solution based on standards and best practices. This project will result in a freely available NIST Cybersecurity Practice Guide. K EYWORDS application programming interface (API); application security ; cybersecurity ; data privacy ; data privacy and security risks ; health delivery organization (HDO) ; remote patient monitoring (RPM) ; telehealth ; user interface (UI) D ISCLAIMER Certain commercial entities, equipment, products, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that th e entities, equipment, products, or materials are necessarily the best available for the purpose. C OMMENTS ON NCC O E D OCUMENTS Organizations are encouraged to review all draft publications during public comment periods and provide feedback. All publication are available at . Comments on this publication may be submitted to: hit – P ublic comment period: November 19, 2018 to December 21 , 2018

PAGE – 3 ============
DRAFT Project D escription: S ecuring Telehealth Remote Patient Monitoring Ecosystem 3 T ABLE OF C ONTENTS 1 Executive Summary .. .. .. . 4 Purpose .. .. .. .. .. 4 Scope .. .. .. .. 4 Assumptions .. .. .. 5 Background .. .. .. . 5 2 Scenario: Remote Patient Monitoring and Video Telehealth .. .. 5 3 High – Level Architecture .. .. .. . 6 Component List .. .. .. . 8 Components for RPM Technologies .. .. .. 8 Components for Remote/Patient Home Environment .. 8 Components for HDO Environment .. .. 9 Desired Security Characteristics .. .. .. 10 4 Relevant Standards and Guidance .. .. 11 5 Security Control Map .. .. .. .. 13 Appendix A References .. .. .. . 25 Appendix B Acronyms and Abbreviations .. .. 26

PAGE – 4 ============
DRAFT Project Description: S ecuring Telehealth Remote Patient Monitoring Ecosystem 4 1 E XECUTIVE S UMMARY Purpose This document defines a National Cybersecurity Center of Excellence ( NCCoE ) project focuse d on providing guidance and a reference architecture that address security and privacy risks to stakeholders leveraging telehealth and remote patient monitoring (RPM) capabilities . We are seeking feedback on this project . Traditionally, p atient monitoring systems have been deploy ed in healthcare facilities, in controlled environments. RPM , however, is different , in that monitoring equipment is deployed in the patient home, which traditionally does not offer the same level of cyber security or physical – security control to prevent misuse or compromise. These RPM devices may leverage a pplication p rogramming i nterfaces (APIs) or rule engines developed by third parties that act as intermediaries between the patient and the healthcare provider. It is important to review the end – to – end architecture to determine whether security and privacy vulnerabilities exist and what security controls are required for proper cybersecurity of the RPM ecosystem . While the field of telehealth is broad, a focus on the application of telehealth modalities involving third – party platform providers utilizing videoconferencing capabilit ies and leveraging cloud and i nternet technologies coupled with RPM mechanisms provides the NCCoE with an opportunity to develop practical recommendations. The intended audience for these recommendations consists of HDOs , patients, and third – party participants employing RPM products and services . This project will result in a publicly available National Institute of Standards and Technology ( NIST ) Cybersecurity Practice Guide, a detailed implementation guide of the practical steps needed to implement a cybersecurity reference design that addresses this challenge . Scope The objective of this project is to demonstrate a proposed approach for improving the overall security in the RPM environment. This project will address cybersecurity concerns about having the use of the home network and patient – owned devices , such as smartphones , tablets, lapto ps, and home computers. Th is project will also identify cybersecurity measures that HDOs may consider when offering RPM with video telehealth capabilities. A proposed component list is provided in the High – Level Architecture section ( Section 3 ) . Telehealth solutions are, by nature, an integration of disparate parties and environments. However , out of scope for this project are th e risks and concerns specific to the third – party provider (i.e. , the telehealth platfo rm provider) that may be offering services that are cloud – hosted or that provide functionality through a software as a service (SaaS) model. Additionally, this project does not evaluate monitoring devices for vulnerabilities, flaws , or defects. The intent of th is project is to provide practical guidance for the security control. The NCCoE does not evaluate medical device manufacture rs . While telehealth solutions may include software development kits (SDKs) and APIs, this project will not explore the secure software development practice in detail.

PAGE – 5 ============
DRAFT Project Description: S ecuring Telehealth Remote Patient Monitoring Ecosystem 5 Assumptions Patient monitoring devices ( e .g., blood pressure cuff, body mass index [ BMI ] / weight scale) may leverage Bluetooth or wireless communications to transmit telemetry data to the h ome monitoring application . The home monitoring application may be installed on a managed or unmanaged patient – owned mobile device . The home monitoring application may transmit telemetry data to the remote m onitoring server via a cellular or Wi – Fi connection . The p atient is in his or her home during the telehealth interaction (e.g. , video, patient m onitoring) . Video telehealth interactions may leverage patient – owned devices or devices provided by the primary care facility . Clinicians participating in telehealth interactions are connected to the HDO s internal network via a secure virtual private network ( VPN ) by using a device managed by the HDO . Background The NCCoE recognizes the important role that telehealth capabilities play in the delivery of healthcare and has commenced research in telehealth , specifically RPM technologies . As the growth and popularity of telehealth capabilities accelerate, it is critical to evaluate the security and privacy risks associated with each identified use case. Once identified, security controls can be implemented to mitigate the security and privacy risks to the patient and other stakeholders. The demand for telehealth capabilities continues to grow as stakeholders (e.g. , patients ; pro viders ; payer s ; federal, state , and local government s ) see the benefits that telehealth brings to improving the quality of patient care and the accessibility to healthcare. A 2017 Foley Telemedicine and Digital Health Survey found that , in just three years , respondents went from 87 percent not expecting most of their patients to be using telehealth services in 2017 to 75 percent offering or planning to offer telehealth services to their patients [1] . 2 S CENARIO : R EMOTE P ATIENT M ONITORING AND V IDEO T ELEHEALTH The scenario considered for this project involves RPM home [2] . RPM equipment that may be provided to patients include s devices for blood pressure monitoring, heart rate monitoring, BMI/weight measurements, and glucose monitoring . An accompanying application may also be downloaded onto the patient – owned device and synced with the RPM equipment to enable the patient and healthcare provi der to share data. Patients may also be able to initiate videoconferencing and/or communicate with the healthcare provider via email, text messaging, or chat sessions . Data may be transmitted across the i nternet . Those transmissions may be relayed to a third – party platform provider that , in turn, routes the communications to the HDO . This process brings the patient and healthcare provider together, allowing for the delivery of the needed healthcare service .

PAGE – 6 ============
DRAFT Project Description: S ecuring Telehealth Remote Patient Monitoring Ecosystem 6 The following functions may be evaluated during this project: connectivity between monitoring devices and app lication s deployed to mobile devices (e.g. , smartphones , tablets) or to patient workstations (e.g. , laptop s , desktops) ability for the application to transmit monitoring data to the HDO ability for the patient to interact with a point of contact to initiate care ( This ability may be through a chat box, interacting with a live individual via videoconference .) ability for the monitoring data to be analyzed by the HDO to spot trends and to issue possible alerts to the clinician if the data suggests that there is an issue with the patient ability for the patient monitoring data to be shared remotely with the elect ronic health record system ability for the patient to initiate a videoconference session with a care team member through the telehealth app lication ability for the patient to receive and apply updates and patches for applications ability for the HDO to est ablish connectivity to the remote monitoring device to obtain direct patient telemetry data ability for the HDO to establish connectivity to the remote monitoring device to update the monitoring device configuration 3 H IGH – L EVEL A RCHITECTURE Figure 3 – 1 shows the high – level architecture for RPM that uses a third – part y telehealth platform provider. The high – level architecture addresses the scope noted in Section 1 . The component list and the desired security characteristics are listed the subsections that follow . For this project, two separate environments will be constructed : the HDO environment and the patient home setting. The HDO infrastructure would adopt the d eployments used in previous NCCoE h ealthcare projects [3] , [4] that implement network zoning and layered defenses aligning to NIST Cybersecurity Framework f unctions. As th is project develops, iden tity and access management (IdAM) controls will be identified . IdAM may be limited based on selected technologies, and those limitations are to be determin ed.

PAGE – 8 ============
DRAFT Project Description: S ecuring Telehealth Remote Patient Monitoring Ecosystem 8 Comp onent List The NCCoE has a dedicated lab environment that includes the following features: network with machines using a directory service virtualization servers network switches remote access solution with Wi – Fi and a VPN Collaboration partners (participating vendors) will need to provide specialized components and capabilities to realize this solution, including, but not limited to, those listed in the subsections below. Components for RPM Technologies Telehealth platform a solution that enables data and communication flow from the patient monitoring device to the home monitoring device to the care providers o internet – based communications transmission of telemetry data videoconference audioconference email secure text mess aging o Routing/triage functionality the telehealth platform enables patients to identify an appropriate , networked team of care providers o S DK s and API s that enable telehealth applications to interface with patient monitoring devices o Patient monitoring dev ices that send telemetry data via the home monitoring device blood pressure heart monitoring BMI / weight scales other telemetry devices , as appropriate o Home monitoring device (e.g. , s pecialized mobile application, standalone device) that transmits telemetry data to the telehealth platform and provides video connectivity Components for Remote/Patient Home Environment Personal f irewall a n application that controls network traffic to and from a computer, permitting or denying communications based on a security policy Wireless a ccess p oint r oute r a device that performs the functions of a router and includes the functions of a wireless access point End p oint p rotection (anti – malware) a type of software program designed to prevent, detect , a nd remove malicious software (malware) on information technology (IT) systems and on individual computing devices Cable m odem a device that provides a demarcation point for cable access and presents an Ethernet interface to allow internet access via the cable infrastructure

PAGE – 9 ============
DRAFT Project Description: S ecuring Telehealth Remote Patient Monitoring Ecosystem 9 Wireless r outer a device that provides wireless connectivity to the home network and provides access to the internet via a connection to the cable modem Telehealth a pp lication an application residing on a managed or unmanaged mobile device or on a specialized standalone device , that facilitates the transmission of telemetry data , and video connectivity , between the patient and HDO Patient m onitoring d evice a peripheral device used by the patient to perform diagnostic tasks (e.g. , measure blood pressure, glucose levels, and BMI/weight) and to send the telemetry data via Bluetooth or wireless connectivity to the telehealth app lication Components for HDO Environment Network a ccess c ontrol discovers and accurately identifies devices connected to wired networks , wireless networks , and VPNs, and provides network access controls to ensure that only authorized individuals with authorized devices can access the systems and data that ac cess policy permits Network f irewall a network security device that monitors and controls incoming and outgoing network traffic , based on defined security rules Intrusion Detection System ( IDS ) (h ost/ n etwork) a device or software application that monitors a network or systems for malicious activity or policy violations Intrusion Prevention System (IPS) a device that monitors network traffic and can take immediate action, such as shutting down a port, based on a set of rules established by the net work administrator VPN a s ecure endpoint access solution that delivers secure remote access through virtual private networking Governance, Risk , and Compliance (GRC) t ool automated management for an organization overall governance, enterprise risk ma nagement , and compliance with regulations Network m anagement t ool p rovide s server, application – management, and monitoring services , as well as asset life – cycle management End p oint p rotection and s ecurity p rovides server hardening, protection, monitoring, and workload micro – segmentation for private cloud and physical on – premises data – center environments , along with support for containers , and provides full – disk and removable media encryption Anti – r ansomware helps enterprises defend against ran somware attacks by exposing, detecting, and quarantining advanced and evasive ransomware Application s ecurity s canning/ t esting provide s a means for custom application code testing (static/dynamic)

PAGE – 10 ============
DRAFT Project Description: S ecuring Telehealth Remote Patient Monitoring Ecosystem 10 Desired Security C haracteristics The primary security functions and processes to be implemented for this project are listed below and are based on NIST Cybersecurity Framework V ersion 1.1 . IDENTIFY (ID) These activities are foundational to developing an organizational understanding to m anage risk . Asset m anagement includes the identification and management of assets on the network , and the management of the assets to be deployed to equipment. Implementation of this category may vary depending on the parties managing the equipment . H owe ver , this category remains relevant as a fundamental component in establishing appropriate cybersecurity practices . Governance O rganizational cybersecurity policy is established and communicated . Governance practice s are appropriate for HDOs and their business associates (BAs), including technology providers , such as those vendors that develop, support, and operate telehealth platforms . Risk a ssessment includes the risk management strategy . Risk assessment is a fundamental component for HDOs and their B A s . Supply c hain r isk m anagement T he nature of telehealth with RPM is that the system integrates components sourced from disparate vendors and may involve relationships established with multiple suppliers, including cloud services providers . PROTECT (P R) These activities support the ability to develop and implement appropriate safeguards based on risk . Identity m anagement, a uthentication, and a ccess c ontrol includes user account management and remote access o controlling (and auditing) user accounts o controlling (and auditing) access by external users o enforcing least privilege for all (internal and external) users o enforcing separation – of – duties policies privileged access management (PAM) with an emphasis on the separation of duties o enforcing least fu nctionality Data s ecurity includes data confidentiality, integrity, and availability o securing and monitoring the storage of data includes data encryption (for data at rest) access control on data data – at – rest controls should implement some form of a da ta security manager that would allow for policy application to encrypted data, inclusive of access control policy o securing the distribution of data includes data encryption (for data in transit) and a data loss prevention mechanism o controls that promote data integrity

PAGE – 11 ============
DRAFT Project Description: S ecuring Telehealth Remote Patient Monitoring Ecosystem 11 o cryptographic modules validated as meeting NIST Federal Information Processing Standard ( FIPS ) 140 – 2 are preferred o physical security provided by an access – controlled data center to host the third – party telehealth servers and storage Informat ion p rotection p rocesses and p rocedures includes data backup and endpoint protection Maintenance includes local and remote maintenance Protective t echnology host – based intrusion prevention, solutions for malware (malicious – code detection), audit logging, (automated) audit log review, and physical protection DETECT (DE) e nables the timely discovery of a cybersecurity event Security c ontinuous m onitoring monitoring for unauthorized personnel, devices, software, and connections o vulnerability man agement includes vulnerability scanning and remediation o patch management o system configuration security settings o user account usage (local and remote) and user behavioral analytics RESPOND (RS) t he ability to develop and implement activities designed to contain the impact of a detected cybersecurity event Response p lanning Response processes and procedures are executed and maintained to ensure a response to a detected cybersecurity incident . Mitigation Activities are performed to prevent the expansion of a cybersecurity event, mitigate its effects, and resolve the incident . RECOVER (RC) the ability to d evelop and implement activities that support the timely recovery of normal operations after a cybersecurity incident Recovery p lanning Reco very processes and procedures are executed and maintained to ensure the restoration of systems or assets affected by cybersecurity incidents . Communications Restoration activities are coordinated with internal and external parties (e.g. , coordinating cen ters, internet service providers , owners of attacking systems, victims, other computer security incident response team s, vendors) . 4 R ELEVANT S TANDARDS AND G UIDANCE General Cybersecurity and Risk Management: Association for Advancement of Medical Instrumentation ( AAMI ) Technical Information Report ( TIR ) 57 , Principles for medical device security R isk management International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) Standard 27001:2013 , Information technology Security techniques Information security management systems Requirements American National Standards Institute ( ANSI ) /AAMI/IEC Standard 80001 – 1:2010 , Application of risk management for IT – n etworks incorporating medical devices Part 1: Roles, responsibilities and activities

71 KB – 26 Pages