NIST guide aims to protect patient information on mobile devices

The National Institute of Standards and Technology's National Cybersecurity Center of Excellence (NCCoE) has published a new guide to help healthcare providers make mobile devices that use or contain patient electronic health data more secure.

The guide, released July 23, is a step-by-step draft guide that uses commercially available, open source tools and technologies and a layered security strategy. The guide:

  • Maps security characteristics to standards and best practices from NIST and other standards organizations, and to the HIPAA Security Rule
  • Provides a detailed architecture and capabilities that address security controls
  • Facilitates ease of use through automated configuration of security controls
  • Addresses the need for different types of implementation, whether in-house or outsourced
  • Provides a how-to for implementers and security engineers seeking to recreate our reference design

It also recommends that providers assess their risk of attack.

The security of electronic patient information is a major problem, especially considering the many recent data breaches suffered by providers, health plans and others. Cloud EHR vendor Medical Informatics Engineering (MIE) suffered a cyberattack earlier this year affecting the electronic medical records of some of its clients' patients.

NCCoE acknowledges that providers frequently use their mobile devices to connect with their electronic health records, and points out that if not protected, patient information collected, stored, processed and transmitted on mobile devices is "especially vulnerable" to cyberattack.

"Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy," NCCoE warns. "Medical identity theft already costs billions of dollars each year, and altered medical information can put a person's health at risk through misdiagnosis, delayed treatment or incorrect prescriptions. Yet, the use of mobile devices to store, access, and transmit electronic healthcare records is outpacing the privacy and security protections on those devices."

The guide is the first in a series of publications from NCCoE on improving cybersecurity using standards-based commercially available or open source tools. Public comments on this guide are due by Sept. 25.

To learn more:
- read the guide