Remote patient monitoring systems have unlocked new standards of care. They can reduce lines in hospital waiting rooms, streamline checkups and enable fast, personalized treatments for improved health outcomes. However, they also present a growing cybersecurity risk.
Cyberattacks against health care are an increasingly frequent problem — 2023 saw the highest number of data breaches and the most leaked information on record. Wearables and other remote monitoring devices may add fuel to the fire, as many have weak built-in protections and offer increased access points to sensitive data. The industry must adopt new security strategies in response.
1. Thoughtful Device Selection
Improved cybersecurity begins with choosing more reliable patient monitoring systems. Not all devices are created equal, and medical organizations can prevent many risks by only issuing those with stronger security features.
The FCC has proposed rules for a labeling program that would make it easier to spot Internet of Things (IoT) devices meeting higher cybersecurity standards. Healthcare professionals should look for these labels. Voluntary standards — like the NISTIR 8259 series — can provide similar assurance where the FCC’s label isn’t available.
Medical organizations can also look for specific protections. All IoT endpoints should enable multifactor authentication (MFA) and encrypted communications. Without such features, attackers may be able to intercept sensitive patient information or easily hack into the device.
2. Feature Restriction
While features like MFA and encryption are necessary, others pose additional risks. Healthcare businesses must learn to recognize the settings that may hinder patient privacy and deactivate them to keep IoT systems as secure as possible.
One of the most common of these features is the default to automatically connect to other devices. Such settings can make IoT management convenient, but they increase the network’s attack surface. Consequently, it’s safest to turn them off.
Medical professionals should also consider each device’s and user’s access permissions. It’s best to abide by the principle of least privilege, which holds that endpoints and people should only be able to access what they need. That may mean letting patient-end devices transmit health data but not retrieve anything from the provider’s side. Restrictions should follow HIPAA guidelines and any regional privacy regulations.
3. AI Threat Detection
More sophisticated cybersecurity strategies may be necessary. The FBI has issued a warning about cybercriminals using artificial intelligence (AI) to increase their attacks in both scale and severity, but security teams can also benefit from this technology.
About 95% of cybersecurity professionals say AI-powered protections will improve their defenses. Of these, 57% pinpoint threat detection as the most impactful use case. AI monitoring technologies are also the most promising for remote patient devices.
Machine learning can analyze IoT device traffic to catch unauthorized access or unusual activity as soon as it arises. As a result, AI threat detection enables immediate responses to potential breaches. This timeliness prevents the worst outcomes in a security incident, ensuring patient data remains safe, even if a device’s built-in features fail to stop an attacker.
4. User Education
While technologies like AI threat detection are useful, medical organizations shouldn’t overlook operational concerns. Healthcare services must ensure all users — including doctors, nurses, technicians and the patients themselves — understand a few security best practices.
Most cybersecurity incidents involve human error in some capacity. In light of this risk, businesses should teach patients how to use their monitoring devices safely. Such use includes learning what features to use or turn off, how to contact doctors or IT support, and how to set up a strong, unique password.
Similarly, users on the provider side must learn why and how to use MFA and how to spot phishing attempts. Organizations can verify employees’ cyber-readiness by requiring them to pass security tests or perform phishing simulations. Regular refresher training is also ideal.
5. Cloud Platform Security
Remote patient monitoring strategies must also consider these devices’ complementary technologies. Healthcare organizations should secure the cloud platforms that host IoT devices or related patient data.
Cloud adoption is a prerequisite to reliable security here, but thankfully, 81% of healthcare executives report already using the cloud. Any organization that doesn’t must embrace it, as the cloud will make it easier to see data access patterns and secure IoT information as it moves.
Of course, the cloud is not a complete security solution on its own. All electronic health records should remain encrypted at rest and in transit. Healthcare businesses must also implement the same protections they do on the devices themselves — namely, restricting access permissions, requiring MFA and implementing real-time monitoring tools.
Remote Patient Monitoring Systems Need Reliable Security
Remote patient monitoring is a revolutionary technology. Its potential benefits are too impressive to ignore, but healthcare providers must also be aware of the security risks.
IoT devices are not inherently dangerous but require additional security to ensure patient privacy. These five strategies enable the level of protection medical organizations need to stay safe and compliant.
About Zac Amos
Zac Amos is the Features Editor at ReHack and a contributor at Medical Design Briefs, CyberTalk, and The Journal of mHealth, where he has spent years coveringcybersecurity and AI in healthcare. For more of his work, follow him on Twitter or LinkedIn.