How Telehealth Organizations Will Benefit From NIST SP 1800-30

Telemedicine has seen a massive rise in popularity since 2019. But with its rise in popularity amongst patients came more security incidents and breaches, as this new technology became a major target for threat actors.  

In fact, with the recent rise in telehealth services, healthcare providers have seen a 117% increase in website/IP security alerts due to malware, along with a 56% increase in endpoint vulnerabilities that enable data theft. 

Why such a change? Traditionally, patient care was provided within a healthcare facility, where the equipment used for treatments was physically located on-site. In this controlled environment, frameworks like HITRUST could be used to protect patient data. 

However, in the case of telemedicine, healthcare delivery organizations (HDOs) are relying on telehealth and remote patient monitoring (RPM) capabilities to treat patients at home. These devices need to use a third-party internet connection and most likely work through the use of a third-party video conferencing platform as well. 

Without adequate privacy and cybersecurity measures for this new normal, unauthorized individuals may expose sensitive data or disrupt patient monitoring services. Even with heightened security concerns, telehealth providers are not able to physically enter the homes of all of their patients to make sure they are using adequate cybersecurity measures. 

This is why organizations offering telehealth services will greatly benefit from the new NIST (National Institute of Standards and Technology) publication. 

The Release of the New NIST SP 1800-30  

While HDOs do not manage and deploy privacy and cybersecurity controls unilaterally, they are responsible for ensuring that appropriate controls and risk mitigation are applied. 

For the last two years, the National Cybersecurity Center of Excellence (NCCoE), a division of NIST, has been working on providing guidance to the industry on ensuring the confidentiality, integrity, and availability of patient data. In February of this year, the final version of NIST Special Publication 1800-30 (NIST SP 1800-30), Securing Telehealth Remote Patient Monitoring Ecosystem, was released.  

NCCoE developed NIST SP 1800-30 to form a reference architecture that demonstrates how organizations can adopt a standard-based approach to their telehealth protocol and use it alongside commercially available cybersecurity tools. Made in collaboration with leading healthcare, technology, and telehealth partners, the overarching goal is to improve privacy and security within the telehealth ecosystem. 

This is a big win for the industry because NIST SP 1800-30 will help achieve two major objectives:  

1. Adding additional support for provider organizations  
2. Providing guidance on deploying and implementing platforms  

Added Support to Provider Organizations 

Due to the rapid rise in the popularity of telemedicine services, HDOs have consistently lacked support when it comes to keeping sensitive information safe.  

NIST SP 1800-30 will help provider organizations keep telehealth and RPM systems secured by teaching them how to deploy the most effective cybersecurity and privacy controls. The framework updates security policies and procedures, providing more insight into how HDOs can select the right technology vendor to help deliver their telehealth services.  

Guidance on Deploying and Implementing Platforms 

Coming as a relief to many, NIST SP 1800-30 gives platforms, applications, cloud providers, and other third-party internet organizations guidance on deploying and implementing technologies. These platforms will also make it easier for telehealth organizations to augment the safeguards of data communications.   

For the IT professionals who want to implement NIST SP 1800-30, NCCoE has created detailed how-to guides available for download. These guides provide specific product installation, configuration, and integration instructions for building the example implementation shown in the documentation.  

Additionally, NIST SP 1800-30 informs HDOs of both technical and nontechnical supporting capabilities of medical device cybersecurity, as stipulated within the NIST Cybersecurity for Internet of Things Standards. 

What Organizations Should Do Now  

If you are a healthcare provider that uses telehealth to provide care to patients or a technology company supporting telehealth infrastructure, make sure you are working with your security and privacy consultants to help implement the NIST SP 1800-30 standard across your organization.  

As a top cybersecurity compliance assessment organization, A-LIGN can help your organization ensure that patient data remains secure. Our experts understand the nuances of NIST control elements and can help you navigate through NIST SP 1800-30. 

Contact A-LIGN today to learn more about cybersecurity tools specifically for organizations offering telehealth services.