Three Pillars For Secure Hospital-At-Home Care

Pulak De, Information Security & Risk Management Leader at Cardinal Health.

getty

​​The Acute Hospital Care at Home (AHCAH) program from the Centers for Medicare & Medicaid Services (CMS) allows approved hospitals and healthcare organizations to deliver hospital-level care in patients’ homes.

As part of AHCAH, certified hospitals can offer services like in-home nursing, virtual doctor visits, continuous health monitoring with wearables and delivery of medicines and tests, while also providing transfers back to the hospital when needed.

With the program extended through September 2030, regional healthcare providers have a multiyear window to grow home-based care while also reducing hospital stays.

However, moving hospital-level care into people’s homes has created several security challenges: Home Wi-Fi is often unsecured, internet connections can be unreliable, everyday personal smart devices are common, and many tools come from overseas vendors.

These factors have created cyber threats such as ransomware attacks through home devices, theft of sensitive protected health information (PHI) and risks for safely storing genetic data used in precision medicine. Meanwhile, rural clinics with limited or no information security teams are at risk of disruptions that could affect patient safety.

Through my experience implementing healthcare risk management strategies to improve hospital-at-home (HaH), remote patient monitoring (RPM), wearables and precision medicine programs, I've established a security framework based on three pillars: data interoperability, strong data governance and edge computing.​​​​

1. Data Interoperability: Securing Data Flow ​​

As mentioned above, the flow of patient data ​from home-based systems to hospitals comes with several risks.

One important consideration is how to manage the data, and I recommend a hybrid approach between two standards: the Health Level Seven (HL7) v2 for legacy internal systems, and Fast Healthcare Interoperability Resources (FHIR) for modern external connections as the main standard to connect different devices and systems.

Infrastructure can use these standards to convert data from wearables such as oxygen levels, glucose readings, heart rate and activity into a standard, easy-to-use format. This provides clear records for the measurements, details about the device and source tracking. Using standard medical codes can help ensure that all stakeholders can interpret the data the same way.

To complement these standards, secure the connection to the existing electronic health record (EHR), which can be achieved using SMART-on-FHIR tools with strong, limited-access security (such as, OAuth 2.0 and mutual Transport Layer Security). Data flow will then need to be checked and controlled, which can be achieved using custom gateways.

With this model, clean and usable information can be moved into daily clinical work, precision medicine and HaH programs, allowing for reduced manual work and improved security risk.​

​2. Data Governance: Protecting Patient Information

The continuous collection of PHI from home-based wearables and HaH sensors increases risks of unauthorized access, insider threats and regulatory violations.

A crucial factor for securing PHI is enabling secure de-identified analytics for population health and precision medicine research.

Creating a cross-functional data governance council can give every department a voice in this process. Likewise, a zero-trust security model means no one automatically gets access and that every request is verified with standard identity security controls like role-based access controls (RBAC), multifactor authentication (MFA) and just-in-time (JIT) permissions.

To complement these techniques, data masking and tokenization can hide sensitive details and maintain complete audit records for compliance. Consent tools can also give patients more privacy control to increase their trust and willingness to use wearables.

Additional protections such as collaborative learning and regular security checks on RPM devices are important strategies for defending against phishing, ransomware and vendor risks, while still allowing safe research use of the data.

3. Edge Computing: Processing Data Closer To The Patient

In rural areas with legacy internet systems, sending data to the cloud can cause delays and increase exposure.​

Edge computing can be a valuable resource here, as it allows processing to occur on the wearable or home internet gateway. The device itself can detect problems and send only important summaries to the main system.

This approach can give near-instant alerts for patient safety, reduce the amount of data traveling over the internet (lowering data breach risk) and keep the system working even when the internet is disrupted.​​

With edge computing, however, it's important to protect these local devices with strong encryption, secure startup processes and automatic removal of old data.

​Implementation Considerations​

To implement these three strategies, IT leaders will need to collaborate closely with clinical and compliance teams on developing a step-by-step rollout.

Start with a full risk assessment and cyber threat modeling before running a small pilot. Then deploy the full system for one use case before scaling across the organization. By seeing problems early, organizations have a better chance of reducing cybersecurity risks, especially from connected devices. ​

Along the way, teams will need to continue to monitor with annual risk assessments, continuous monitoring via SIEM, patch management, incident response drills and quarterly reviews. ​​For management and ownership, define clear accountability through a cross-functional data governance council involving all of the stakeholders.

Finally, training should be role-based and ongoing. Clinicians need education on phishing awareness, patient consent and standard procedures. IT and security teams should receive specialized training on the Internet of Medical Things (IoMT) and zero-trust architectures. Patients and caregivers should receive guidance on home device safety best practices.

Implementing this security framework allows health systems to scale hospital-at-home models across both urban and rural environments to free up hospital beds, cut costs and deliver better care to patients.​

By blending FHIR interoperability, zero-trust governance and edge computing, healthcare organizations can transform regulatory mandates into strategic advantages while protecting patient data and making home healthcare reliable.​​

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?