Remember the days of having to go to the hospital multiple times a week because of a serious health condition? Remote patient monitors came in and changed the game. Remote patient monitoring (RPM) allows patients to be monitored in the comfort of their own homes, which lowers healthcare costs and allows them to be more engaged with their healthcare providers. When a change is detected in the monitor, healthcare providers can communicate with patients more easily.
Sounds like a gem in the healthcare industry.
However, as with anything that’s connected to the internet, there are bad actors wanting to hack into those monitors and obtain private patient information. It’s not only the hospitals that need to heed the risks, either; companies that provide RPM and remote therapeutic monitoring programs to the healthcare industry need to, as well.
And Smart Meter, an RPM solution supplier, provided data security guidance for those companies.
The best practice for RPM companies is to continuously monitor their device vendors' approaches to securing the patient-generated health data collected by the home monitoring devices.
A standard model for managing patient data is transporting it over the public internet. This is a red flag as it is susceptible to malicious attacks and can expose patient data to foreign governments outside U.S. borders. If a device vendor uses this approach without the proper safeguards, RPM companies must consider better ways to secure patient data, such as using private networks. The use of private networks constrains data flow and ensures it only arrives at its intended destination.
Another essential aspect of providing secure communications over the internet is transport layer security. It is critical to ensure communications' privacy, integrity and authenticity. If a device vendor is leveraging an "industry standard protocol," the RPM company must ask if they are doing enough to protect the patients’ data.
Many overseas manufacturers are adding "over-the-air" software update capability to their devices as a new feature for remotely fixing errors or updating the device's firmware. Over-the-air updates performed on an unsecured public network add another vulnerability to a company’s system, potentially allowing for tampering or capturing data. As stated above, avoid all public networks and use a private network. Private networks mitigate the risk of tampering or other malicious activity.
With the potential for malware attacks in the healthcare sector, it is imperative to choose a vendor that has proven world-class technologies to protect patient data. It is vital for RPM companies to do this because the financial cost of a HIPAA breach is detrimental to the continuity of the company. The 2022 HIPAA penalty structure ranges from a minimum of $127 per violation at Tier 1 to a maximum of $1,919,173 per violation at Tier 4.
"The financial cost of a HIPAA breach can be detrimental to the continuity of health care businesses and the well-being of patients," stated Casey Pittock, CEO of Smart Meter. "We have made significant investments over the past four years to embed proprietary security protocols in our RPM devices, platform and network to ensure patient health data can only be transmitted when connected to our exclusive and secure private data network for RPM.”
RPM companies need to remember that trusted device and data vendors follow best practices in data security to ensure RPM companies do not suffer the potential business continuity issues associated with security breaches of patient data.
Edited by
Alex Passett
