NIST releases How to Guide for securing electronic health records on Mobile Devices

NIST Guidance for Securing EHR on Mobile Devices

NIST Releases How-To Guide for Securing Electronic Health Records on Mobile Devices


Advancing Technology Guidance

The National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) released its early guidance to demonstrate how health care providers can make personal devices more secure. Ranging from mobile devices, such as smartphones and tablets, the goal is better protection of patient information while still taking advantage of the benefits of advancing electronic communications technology.

password protection

Securing Electronic Records on Mobile Devices

The guide entitled, Securing Electronic Records on Mobile Devices declares that "the use of mobile devices to store, access, and transmit electronic health care records is outpacing the privacy and security protection on those devices."

Guide Highlights Include:

  • Mapping security characteristics to standards and best practices from NIST, from other standards organizations, and for the HIPAA Security Rules
  • Providing a detailed architecture and capabilities that address security controls
  • Facilitating ease of use through transparent, automated configuration of security controls
  • Addressing the need for different types of implementation, whether in-house or outsourced
  • Providing guidance for implementers and security engineers


Managing Risk Guidance

Further more, the NIST stresses the importance of conducting risk assessments and the importance of the risk management process by stating:

"Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of your businesses processes and technologies, the threat landscape, and the data itself. The guide describes our approach to risk assessment. We recommend that organizations implement a continuous risk management process as a starting point to adopting this or other approaches that will increase the security of electronic health records."

According to NCCoE Director Donna Dodson:

"Healthcare organizations want to protect their clients' personal information and themselves from the high costs associated with breaches. This guide can be an important tool among many to reduce risk."


Final Thoughts

This draft guide supports Healthcare Compliance Pros position that mobile device usage and mobile device thefts are on the rise and are outpacing privacy and security protection on those devices.

Forms Update: Because of this, we have added a sample Bring Your Own Device (BYOD) Policy and User Agreement to our forms section and we recently addressed mobile device security in our multi-part HIPAA article series.

Don't Forget, Risk Assessment: And if you haven't already, we highly recommend you conduct a thorough risk assessment before moving forward with mobile devices and review or develop your corresponding policies and procedures.

Cybersecurity topics where HCP can help:

  • Understanding mobile device security
  • Performing a thorough risk assessment
  • Conducting the risk management process

For any questions, contact us to request more information.