TLS is at application level. It runs over TCP, not below it.
There are lots of examples of TLS out there, and it will depend on what language or framework you are using. If you are skilled enough to develop an application that sends monitoring data to a remote unit, TLS will be trivial.
Basically, you will need:
TLS Server running on the monitoring unit, or on a relay server
TLS Client running on the tablet device
A trusted certificate on the monitoring server, or the relay server
You only have to decide if you are going to use public CA-issued certificate, internal CA-issued certificate, or self-signed certificate, in decreasing price and protection order.
Public CA-issued certificates are the most secure. That's the kind of certificate your bank uses. They usually expire in 1-2 years, so forgetting to renew them will create availability issues.
Private CA-issued certificates are free, but you have to install a CA certificate on the clients, and not everyone will like this. The reason is because a certificate issued from this CA have the same trust as a public one, and if someone compromises this internal CA private key, they can impersonate any site.
Self-signed certificates can be very secure, or completely insecure, depending on how you deploy them. If you issue a self-signed certificate and use public key pinning on the application, it's a very secure solution. An attacker would have a difficult time sniffing the traffic and having the data in the clear.
But just issuing a self-signed certificate and installing on the server is not secure at all. Any attacker that is MitM position could just issue a certificate with the same fields, decrypt data in one side and re-encrypt with his own certificate, and the client would probably click on the "Insecure Connection" warning anyway.
Storing the private key is the main issue you will face. You could just store it on the monitoring unit file system, and if someone gets the key, they could decrypt any data coming from it. If every single monitoring unit uses the same key, one leaked key means no unit is safe anymore.
That's why using a relay server is optimal: you would use a TLS client on the monitoring unit and send it all data. TLS Server would run centralized, on this server, and it would relay the data to any tablet you have.