NIST Releases EHR Mobile Security Draft for Comment
The National Institute of Standards and Technology has released a draft document aimed at healthcare information security, the first in a new series of guides intended to help enterprises and developers improve cybersecurity.
The guide, entitled Securing Electronic Health Records on Mobile Devices, provides IT implementers and security engineers with a detailed architecture so they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from NIST and others, as well as HIPAA rules. The guide takes into account the need for different types of implementation for different circumstances such as when cybersecurity is handled in-house or is outsourced.
The draft guide was developed by industry and academic cybersecurity experts, with the input of healthcare providers who first identified the challenge. The center then invited technology providers with relevant commercial products to partner with NIST through cooperative research and development agreements and collected public feedback at multiple steps along the way.
The guide is being released under the aegis of The National Cybersecurity Center of Excellence (NCCoE), which NIST established in 2012 in conjunction with the State of Maryland and that state's Montgomery County. Since that time, the center has been building partnerships with industry and academia to identify cybersecurity challenges and develop example solutions in industries such as healthcare, energy and financial services.
The team at the NCCoE built a virtual environment that simulates interaction among mobile devices and an EHR system supported by the IT infrastructure of a medical organization. They developed a scenario in which a hypothetical primary care physician uses a mobile device to perform recurring activities such as sending a referral containing clinical information to another physician or sending an electronic prescription to a pharmacy. Then, using commercially available technologies, they built a solution to improve privacy and security protections.
The comment period runs through Sept. 25. Comments can be made here.