Is remote patient monitoring the new cybercrime target?

Find out why criminals are targeting patients at home, how criminals are trying to access hospital and health system RPM servers – and what CISOs and IT professionals should be doing to fight back.
By Bill Siwicki
01:26 PM

Milan Shah, chief technology officer at Biofourmis

Photo: Biofourmis

Healthcare organizations each faced an average of 109 cyberattacks per week last year, by far the most of any industry.

While hospitals and health systems may have well-honed cybersecurity protocols to prevent or mitigate such attacks, the growth of care-at-home technologies – including remote patient monitoring and hospital at home – has created another layer of concern.

Patients who are monitored or managed at home using a health system's technology likely do not have such strict safeguards in place. In this interconnected world, patients could spread ransomware or other types of malware to their providers.

Milan Shah is chief technology officer at Biofourmis, a Boston-based virtual care and digital therapeutics technology vendor. Healthcare IT News interviewed him to discuss why criminals are targeting patients at home, how criminals are trying to access hospital and health system servers through patients' homes, and what healthcare CISOs, CIOs, and other security and IT leaders should be doing to protect their patients and organizations from these kinds of breaches.

Shah also talks about the experiences of a close family member undergoing remote patient monitoring at home.

Q. Why are cybercriminals targeting patients at home?

A. Around the world, threat actors have recognized that due to COVID-19, more people have been connecting with their providers using a computer or mobile device. That care has been for short, appointment-based telehealth visits all the way to continuous, around-the-clock remote patient monitoring.

"Monitoring" could more accurately be updated to "management" due to the level of streaming data that can now be collected and analyzed to guide clinical decision-making.

Many patients are not as tech-savvy or as cybersecurity-aware as providers and staff in healthcare facilities – and they might be less vigilant against attacks if they are feeling sick, fatigued or in pain. Threat actors recognize this vulnerability, as well as the fact that RPM technology systems are accepting data traffic much more openly from the outside.

By hiding malicious code inside the flow of incoming data from patients – as we have seen is possible with vulnerabilities such as the Log4j flaw that was discovered in December – attackers hope to gain control of the rich data assets on those servers and exploit the deeper pockets of a health system through the ransomware attacks we see in the news.

While cyberattacks against consumers have been common since the advent of email, those specifically aimed at infiltrating and holding a health system's data and servers hostage through RPM technology are, at this point, quite rare. However, as adoption of virtual care continues to grow, expect the threat actors to shift their resources to these targets.

Q. How are they trying to access hospital and health system servers through patients' homes?

A. Cybercriminals have deeply developed tools, techniques and practices that they apply to nearly all of their victims, whether that is a government or e-commerce website or electronic health record system. So far, the techniques used to gain access to health system data assets through patients are not new.

For example, just like with clinicians in the hospital, an attacker may attempt to spread malware through a fraudulent email sent to the patient, hoping they will click on an attachment or link that will enable the attacker to gain control of the patient's device and then spread the software to the provider's systems.

This cybersecurity risk grows exponentially if the patient uses their home computer or personal mobile device for RPM. Such devices are adequate for short, periodic telehealth visits with providers.

Personal devices, however, do not offer patients or providers adequate protection from a data breach for RPM where active and passive data-collection is more frequent, if not continuous. Providers cannot secure, control and monitor a patient's personal device as they could with their own equipment.

Q. What should healthcare provider organization CISOs, CIOs, and other security and IT leaders be doing to protect their patients and organizations from these kinds of breaches?

A. Simply put, C-level health system leaders need to give remotely managed patients a health system-owned and secured "locked-down" mobile device to communicate and share data with providers.

Vendors that are well-versed in security can provide the devices as part of their engagement with the health system or hospital. The device may have Bluetooth and WiFi capabilities to exchange data wirelessly, but it is not able to download third-party apps or use a web browser that enables the patients to click on a potentially malicious link.

The patient would use the digital tablet to input data from their monitoring devices, such as wearables that track various vital signs and to conduct telehealth visits with providers in a hospital or clinic. The tablet may also enable the patient to access educational content such as videos and guides about their condition.

Other than this tightly focused set of capabilities, the tablet remains relatively unused – and thus largely invisible to threat actors.

Simplicity also can make the tablet easy to use, which is a must for adherence. Keep in mind, if RPM is utilized as part of an acute hospital-level care-at-home program or for post-acute recovery, then the patient will not want to figure out how to operate a complex device or piece of software.

Nor will the patient be inclined to comply with a multistep login procedure to verify their identity each time they want to use the device. Both device and RPM solution must require a minimal number of taps, with very little required navigation by the patient.

Some CIOs may be tempted to offer the patient a secure app for their personal mobile device to reduce upfront expense, but that strategy could end up costing their organization more in the long run. An app is acceptable for short telehealth visits, but health systems are unnecessarily exposing their data and systems to vulnerabilities if they are connected to a patient's largely unsecured personal device for an extended period of time.

Q. You have a close family member being managed in his home remotely via wearable biosensors and a patient-facing dashboard. How has this remote patient monitoring/cybersecurity issue hit home for you?

A. My close family member has heart failure and is now also battling stage 4 cancer. Simultaneously managing both of these serious health conditions means he has been hospitalized several times. After every admission, he returns home stable, but weaker.

Now that he is using RPM, however, I have witnessed first-hand how his providers can detect signs of decompensation and intervene before he needs to call an ambulance or visit the emergency department.

For example, if they notice from the remote data collection that his heart rate is dropping below his personalized baseline at certain times of the day, they can call or arrange a video visit, learn about what he was doing when this is occurring and adjust his medication based on all those factors.

On the other hand, if he visited his cardiologist about this low heart rate, it likely never would have gotten that low, because he was in the doctor's office and his vitals would be elevated due to the travel, exertion and anxiety. The physician would have had less information to support their decision.

The RPM system my family member uses at home is incredibly simple. He wears a biosensor around his arm all day that can collect more than 20 physiologic signals, including basic vitals such as heart rate, temperature and respiration rate, as well as data on his sleep position and his movements during his daily activities, such as climbing steps.

Each day he uses his tablet to answer a few questions about symptoms or his medications and has a telehealth visit with one or more of his providers.

The importance of user experience, however, was really driven home when he had severe nausea one day. In a few taps, he was able to talk face-to-face with a provider, who was able to make him more comfortable.

I could not imagine how much more difficult it would have been if my family member had to find the correct app, type in a password or perform some type of two-factor authentication. He might have given up and gone to the hospital.

There have been several occasions like this. In all, I would estimate he has avoided three or four hospital admissions because his providers have been able to intervene and stabilize him at home. Not only has his quality of life improved, but his conditions are better managed now than they were before RPM.

It is not solely due to the care model, of course, because there is an amazing new medication for his type of cancer that is working very well for him. Our family is very fortunate in that sense, but we are also thankful for the RPM that enables him to remain at home where he is most comfortable and able to rest.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.