United States: NIST's First Cybersecurity Practice Guide: Securing Electronic Health Records On Mobile Devices

The National Institute of Standards and Technology (NIST) has released a draft of Securing Electronic Records on Mobile Devices, the institute's first practice guide in a series designed to help organizations improve cybersecurity.  The guide demonstrates how health care providers can more securely share patient information using mobile devices such as tablets and smartphones.  While the guide is not a guarantee of compliance, providers can use it to help implement relevant standards and best practices in the NIST Framework for Improving Critical Infrastructure Cybersecurity, and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

The Landscape.

Health care providers rely more and more upon mobile devices to store, access, and transmit electronic health records.  Recent research indicates approximately 87% of physicians use a smartphone or tablet in the workplace.¹  Device-enabled tasks include exchanging patient information, submitting claims, generating electronic records, and e-prescribing, in addition to research and educational activities.  Among other benefits, these devices offer speed and ease of access to information at the point of care, helping physicians make quicker decisions with a lower error rate.²

Along with unique benefits, mobile devices carry unique risks.  They are small, portable, more easily lost or stolen than a laptop, and generally attractive to thieves.  Users can fail to implement appropriate authentication or data encryption, and may send and receive data through unsecure cellular networks rather than secure website connections or virtual private networking.  Using personal rather than employer-supplied equipment ("bring your own device") can increase risk.  While mobile devices have been said to transform many aspects of care, providers who incorporate these devices into their practice should be prepared to face a particular set of privacy and security challenges.

These challenges are particularly acute at a time when criminals highly prize health care records.  Thieves can use or sell health records to allow one person to obtain health care in another's name.  This "medical identity theft" is physically dangerous to patients (whose records may contain a mix of information from several individuals), and can cost providers much in terms of patient trust, time, and money.  So acute are these challenges that Tip #2 on the list of HealthIT.gov's "Top 10 Tips for Cybersecurity in Health Care" is "Protect Mobile Devices."  Components of this important tip include:

• Ensure mobile devices are equipped with strong authentication and access controls.
• Protect wireless transmissions from intrusion.
• Avoid transmitting unencrypted health information across public networks.
• Encrypt data when it is "absolutely necessary" to commit health information to a mobile device or remove a device from a secure area.
• Do not use mobile devices that cannot support encryption.
• Develop and enforce policies specifying the circumstances under which devices can be removed from the facility.
• Take extra care to prevent unauthorized viewing of health information displayed on a mobile device.

On August 6, 2015, OCR's Abby Bonjean (Region 5/Midwest Region) spoke at the quarterly meeting of the Indiana Security & Privacy Network (InSPN).³ Ms. Bonjean noted that issues surrounding mobile devices (including laptops, external hard drives, and thumb drives) are among the most common HIPAA compliance issues.  She recommended that Covered Entities implement a mobile device-specific policy/procedure, and train workforce members on it.

The NIST Guide.

To help providers keep pace with practice needs in the current threat landscape, NIST brought cybersecurity experts together with health care providers to create a virtual environment that simulated interaction between mobile devices and an EHR system.  Using a hypothetical scenario in which a primary care physician uses her mobile device to perform such tasks as making referrals, adding information to the EHR, and e-prescribing, the team identified commercially available and open-source tools,⁴ consistent with cybersecurity standards and best practices, that can increase privacy and security and reduce risk.  The NIST guide:

• Maps security characteristics to standards and best practices from NIST and other standards organizations, and to the HIPAA Security Rule.
• Provides a detailed architecture and capabilities that address security concerns.
• Facilitates ease of use through transparent, automated configuration of security controls.
• Addresses the need for different types of implementation, whether in-house or outsourced.
• Provides guidance for implementers and security engineers.

The guide contains five sections:  (1) Executive Summary; (2) Approach, Architecture, and Security Characteristics (what was built and why); (3) How To Guides (instructions to build the reference design); (4) Standards and Controls Mapping (listing of standards, best practices, and technologies used to create the guide); and (5) Risk Assessment and Outcomes (risk assessment methodology, results, test, and evaluation).

Health care providers, like all entities that collect and store personally identifying information, should base their privacy and security practices on a robust risk assessment.  This will allow them to better understand their unique cybersecurity challenges, the related implications, and how far criminals will go to exploit vulnerabilities.

While no security system can prevent all mistakes and intrusions, the guide advises providers how to quickly and efficiently integrate standards-based products into their existing tools and infrastructure.  Donna Dodson, Director of the national Cybersecurity Center of Excellence at NIST, emphasizes that "health care organizations want to protect their clients' personal information and themselves from the high costs associated with breaches."  The NIST guide can be an important tool to help providers achieve this goal.

The guide is open for public comment until September 25, 2015. Send comments to HIT_NCCoE@nist.gov.

Footnotes

^{1 Ventola, C. (2014).  Mobile Devices and Apps for Health Care Professionals:  Uses and Benefits.  P.T., 39(5): 356-354.}

^{2 Id.}

^{3 Ms. Bonjean noted at the outset that her remarks were her own.}

^{4 While NIST used a particular suite of products, it does not endorse them.}

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.