NIST offers 'how to' for securing EHRs on mobile devices
- With smartphones and tablets becoming ubiquitous in healthcare, the National Institute of Standards and Technology has issued a “how-to” guide aimed at helping providers secure EHRs on mobile devices.
- The guide provides a simulated solution developed by NIST's National Cybersecurity Center of Excellence using commercially available products. The scenario involves interactions among mobile devices and an EHR system that is supported by an organization's IT infrastructure.
- NIST hopes people will use the guide to implement relevant standards and best practices for cybersecurity and HIPAA compliance.
Cybersecurity is becoming increasingly important as mobile devices are incorporated into all levels of care and hospitals and practices consider policies like bring-your-own-device, or BYOD.
In a 2017 Spõk survey, 71% of clinicians reported their hospitals permits some type of BYOD use, up from 58% in 2016. In the same survey, 65% of physicians and 41% of nurses conceded they use personal devices despite hospital policy against such use.
Much mobile device use centers around clinical care teams. In fact, Spy Glass Consulting found nine in 10 hospitals are investing in smartphones and secure mobile communications to drive clinical transformation. In a JAMF survey, 91% of healthcare IT leaders said they would benefit from an enterprise-wide mobile device initiative.
But ensuring the security of personal health information on mobile devices can be tricky. Mobile devices should be part of an organization’s overall governance program and should include issues like BYOD and what people can download on a flash drive, Kathy Downing, director of practice excellence and senior director at the American Health Information Management Association, told Healthcare Dive earlier this year.
“We see so many breaches when somebody has downloaded something on a flash drive and the flash drive goes missing,” she said.
The NIST guide:
- Maps security characteristics to recognized standards and best practices.
- Provides a detailed architecture and capabilities to enhance security controls.
- Automates configuration of security controls for ease of use.
- Discusses in-house and outsourced implementation.
- Shows how security personnel can recreate the simulation design in whole or in part.
The guide also covers issues such as audit controls and monitoring, device integrity, user authentication and transmission security.
- National Institute of Standards and Technology Securing Electronic Health Records on Mobile Device