Date Published: July 2015
Comments Due:
Email Questions to:
Author(s)
Gavin O'Brien (NIST), Nate Lesser (NIST), Brett Pleasant (MITRE), Sue Wang (MITRE), Kangmin Zheng (MITRE), Colin Bowers (Ramparts), Kyle Kamke (Ramparts)
Editor(s)
Leah Kauffman (NIST)
Announcement
NIST announces the public comment period for Draft NIST Cybersecurity Practice Guide SP 1800-1, Securing Electronic Health Records on Mobile Devices.
The use of mobile devices in health care sometimes outpaces the privacy and security protections on those devices. Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year, and altered medical information can put a person's health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions.
Cybersecurity experts at the National Cybersecurity Center of Excellence (NCCoE) collaborated with health care industry leaders and technology vendors to develop an example solution to show health care organizations how they can secure electronic health records on mobile devices. The guide provides IT implementers and security engineers with a detailed architecture so that they can recreate the security characteristics of the example solution with the same or similar technologies. Our solution is guided by relevant standards and best practices from NIST and others, including those in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care organization's networks. At the 2012 Health and Human Services Mobile Devices Roundtable, participants stressed that mobile devices are being used by many providers for health care delivery before they have implemented safeguards for privacy and security. This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design that can be tailored and implemented by health care organizations of varying sizes and information technology sophistication. Specifically, the guide shows how health care providers, using open source and commercially available tools and technologies that are consistent with cybersecurity standards, can more securely share patient information among caregivers using mobile devices. The scenario considered is that of a hypothetical primary care physician using her mobile device to perform reoccurring activities such as sending a referral (e.g., clinicalinformation) to another physician, or sending an electronic prescription to a pharmacy. While the design was demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization's security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with a health care provider's existing tools and infrastructure.
Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care...
See full abstract
Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care organization's networks. At the 2012 Health and Human Services Mobile Devices Roundtable, participants stressed that mobile devices are being used by many providers for health care delivery before they have implemented safeguards for privacy and security. This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design that can be tailored and implemented by health care organizations of varying sizes and information technology sophistication. Specifically, the guide shows how health care providers, using open source and commercially available tools and technologies that are consistent with cybersecurity standards, can more securely share patient information among caregivers using mobile devices. The scenario considered is that of a hypothetical primary care physician using her mobile device to perform reoccurring activities such as sending a referral (e.g., clinicalinformation) to another physician, or sending an electronic prescription to a pharmacy. While the design was demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization's security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with a health care provider's existing tools and infrastructure.
Hide full abstract
Keywords
HIPAA; implement standards-based cybersecurity technologies; mobile device security standards; risk management; stolen health records; electronic health record security; stolen medical information; electronic health record system; breaches of patient health information
Control Families
Risk Assessment
