Back to Intelligence

Securing 'Care at Home': Defending the Attack Surface of Remote Patient Monitoring

SA
Security Arsenal Team
May 13, 2026
4 min read

Introduction

The MidAtlantic Permanente Medical Group (MAPMG) serves over 750,000 members across Maryland, Virginia, and Washington, D.C. Their recent initiative to expand "Care at Home" represents a significant shift in healthcare delivery, moving acute and chronic care management from controlled medical centers into patient residences. While this improves patient outcomes, it fundamentally dissolves the traditional clinical perimeter. For defenders, this creates a critical challenge: securing sensitive Protected Health Information (PHI) and clinical workflows across thousands of uncontrolled, unmanaged home networks. The urgency is immediate—without a Zero Trust architecture tailored to decentralized care, this expansion exposes the organization to unprecedented risks of data interception, device compromise, and lateral movement from the edge into the core Electronic Health Record (EHR) system.

Technical Analysis

This initiative is not a vulnerability in a single product, but a systemic expansion of the attack surface involving several technical vectors. As care moves home, the security perimeter expands to include Internet of Medical Things (IoMT) devices, clinician workstations on residential Wi-Fi, and remote access protocols.

Affected Components and Vectors

  • Remote Patient Monitoring (RPM) Devices: Connected medical devices (pulse oximeters, cardiac monitors) transmitting data to cloud or on-premise aggregators. These often operate on legacy firmware or lack built-in encryption, making them prime targets for Man-in-the-Middle (MitM) attacks on unsecured home networks.
  • Clinician Access Points: Laptops and tablets used by providers to access EHRs (e.g., Epic, Cerner) from residential networks. The risk shifts from internal credential theft to credential harvesting via keyloggers or malicious Wi-Fi hotspots.
  • Data Transmission Protocols: The shift to HL7 FHIR and API-based data exchange over the public internet increases the exposure of interfaces if not strictly secured with mutual TLS (mTLS) and OAuth 2.0.

Exploitation Risk

  • Lateral Movement: A compromised clinician laptop on a home network could become a pivot point. If the device connects via VPN to the MAPMG core network, attackers can bridge the gap between the untrusted home environment and the trusted clinical data center.
  • IoMT Botnets: Unsecured RPM devices are frequently recruited into botnets (e.g., Mirai variants) which can launch DDoS attacks against hospital infrastructure or serve as persistence mechanisms within the medical group's digital ecosystem.

Executive Takeaways

Since this is a strategic expansion rather than a specific CVE exploitation, defensive priorities must shift from patching to architecture and visibility.

  1. Implement Zero Trust Network Access (ZTNA): Retire traditional VPNs for clinicians accessing EHR systems. Move to a ZTNA model that verifies identity (MFA), device posture (CrowdStrike/Microsoft Defender compliance), and context (location/time) before granting access to specific applications, not the entire network.

  2. Enforce Strict ePHI Encryption in Transit: Ensure all data from RPM devices to clinical repositories is encrypted using TLS 1.3. Disable legacy protocols (SSLv3, TLS 1.0/1.1) and block unencrypted HTTP/FTP traffic originating from known IP ranges of RPM vendors.

  3. Segment IoMT Traffic: Treat the "Care at Home" network as an untrusted zone. Utilize Network Access Control (NAC) policies to place connected medical devices into isolated VLANs or micro-segments that restrict communication solely to necessary medical gateways, preventing lateral movement to administrative servers.

  4. Extend DLP to the Edge: Deploy Data Loss Prevention (DLP) agents on clinician workstations that monitor for clipboard copy/paste or unauthorized uploads of PHI to personal cloud storage (e.g., personal Google Drive, Dropbox) while connected to home networks.

  5. Continuous Asset Discovery: You cannot defend what you cannot see. Implement automated discovery tools to profile every RPM device connecting to the network. Monitor for firmware anomalies and unauthorized devices attempting to connect to medical gateways.

Remediation

To secure the "Care at Home" initiative, Security Arsenal recommends the following specific defensive actions:

  • Hardening Remote Access:

    • Enforce phishing-resistant MFA (FIDO2/WebAuthn) for all remote clinical access.
    • Require Endpoint Detection and Response (EDR) agents to be active and reporting on clinician laptops before allowing VPN/ZTNA connection.

  • Securing IoMT & RPM:

    • Conduct a comprehensive inventory of all RPM vendors and their default credentials. Force a change of default passwords on device provisioning.
    • Patch RPM firmware regularly. Establish a maintenance window where devices must sync to receive security updates.

  • Network Configuration:

    • Configure next-generation firewalls to inspect encrypted traffic (SSL Inspection) from remote endpoints to detect malicious payloads hidden within encrypted tunnels.
    • Implement Geo-fencing to block access attempts from regions where MAPMG does not operate or have traveling staff.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachrpmiomttelehealth

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action