New Guide for Securing Electronic Health Records on Mobile Devices Released by NIST/NCCoE

Physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers; however, it is much harder to secure data on mobile devices. Mobile devices are easily lost or stolen and when the devices are used by remote workers it is easier to intercept transmitted PHI. It is no surprise given the risks that mobile device security is a major concern of healthcare IT professionals.

Despite security concerns, the majority of healthcare providers extensively use mobile devices and mobile device usage by healthcare providers is expected to increase significantly over the next two years.

To help healthcare organizations take advantage of the benefits that come from using mobile devices while complying with the HIPAA Security Rule, the National Institute of Standards and Technology (NIST) and The National Cybersecurity Center of Excellence (NCCoE) has produced a new guide – Securing Electronic Health Records on Mobile Devices.

The guide is aimed at healthcare organizations that use mobile devices to review and update electronic health records and exchange medical records. The guide covers how healthcare organizations can address data and device security and minimize the risks of device loss/theft, interception of PHI, connecting to untrusted networks, and using the devices to interact with other systems and mobile devices.

The guide explains how ePHI may be secured on mobile devices without negatively impacting the provision of care and offers detailed advice to help healthcare providers secure electronic health records on mobile devices. The guide describes how IT professionals can apply a security architecture to enhance device security and better safeguard ePHI using open-source technologies and tools to add extra layers of cybersecurity to make sure that ePHI is accessed and shared securely.

The guide maps security characteristics to NIST standards and best practices and to the HIPAA Security Rule and lays out a security architecture with all appropriate security controls. The guide gives in depth information on automated configuration of security controls for simplicity of use and tackles both in-house and outsourced implementations. Since the guide is modular, healthcare organizations can choose to implement some or all of the recommendations, based on their unique environments.

The guide explains that healthcare companies need to conduct a thorough risk analysis to identify all risks to the confidentiality, integrity, and availability of ePHI stored on mobile devices, the implication of those risks, and how those risks could potentially be exploited by malicious actors. Evaluating risks and making decisions to mitigate them must be a continuous process as business processes and technologies are dynamic. “We recommend that organizations implement a continuous risk management process as a starting point for adopting this or other approaches that will increase the security of EHRs,” wrote NIST. “It is important for management to perform regular periodic risk review, as determined by the needs of the business.”