Providers, pay heed to NIST's mobile device security guide

The National Institute of Standards and Technology's new draft guide to help providers keep patient data on mobile devices secure is a treasure trove of very detailed, practical information.

The five-volume guide, released by NIST's National Cybersecurity Center of Excellence (NCCoE) is a step-by-step tool that:

  • Maps security characteristics to standards and best practices from NIST and other standards organizations, and to the HIPAA Security Rule
  • Provides a detailed architecture and capabilities that address security controls
  • Facilitates ease of use through automated configuration of security controls
  • Addresses the need for different types of implementation, whether in-house or outsourced
  • Provides a how-to for implementers and security engineers seeking to recreate NCCoE's reference design

NCCoE actually created a laboratory with the scenario of a hypothetical primary care physician using a mobile device in various ways, each of which involves interaction with the physician's electronic health record, such as for referencing lab results. The guide acknowledges that there's been a 125 percent growth in the number of intentional cyberattacks on healthcare organizations over a five year period, and that mobile devices are "especially vulnerable" to such attacks.

"[W]e show how healthcare providers, using open-source and commercially available tools and technologies that are consistent with cybersecurity standards and best practices, can more securely share electronic health records among caregivers who use mobile devices," NCCoE states. "We use a layered security strategy to achieve these improvements in protection of health information. Using the guide, your organization is encouraged to adopt the same approach. Commercial and open-source standards-based products, like the ones we used, are available and interoperable with existing information technology infrastructure and investments."

This sounds like a wonderful, comprehensive resource.   

And according to the latest Black Book report, more than half of physicians in ambulatory practices already access patient records and/or reference data from a mobile device; 70 percent of all clinicians indicated that they aim to use a mobile EHR device and software by the end of 2015. That number is sure to grow in 2016.

However, I'm worried that NIST's guidance won't trickle down to the clinician community.

For one, the NIST guide is not aimed at the provider community. The intended audience are CIOs, chief information security officers and security managers. But many smaller providers, including the physicians using the mobile devices, don't have in-house IT personnel to rely on. The physicians may not even hear about the NIST guide.

Moreover, many physicians still don't take steps to protect their patients' electronic data. At least one survey earlier this year uncovered that only one-third of them even performed a security risk assessment of their electronic patient information, even though it's been a HIPAA requirement for 12 years, as well as a requirement of the Meaningful Use program.

Even if physicians wished to implement the guide, they may be put off by its highly technical language.

NIST is requesting feedback by Sept. 25. I suggest that stakeholders review the guide and provide comments.

Providers, take the guide and the need to protect patient information seriously.

I also have some feedback of my own for NIST: Try to light a fire under the physician community, not just IT personnel, about the need for better security of mobile devices. Increase publicity for this guide.

And please write more of it in plain English. - Marla (@MarlaHirsch and @FierceHealthIT)