The National Cybersecurity Center of Excellence (NCCoE), a division of the National Institute of Standards and Technology (NIST) has penned a five-part draft guidance on cybersecurity for mobile devices that connect to electronic health records. The guidance includes a step-by-step how-to guide for improving data security that uses commercially available and open source tools and technologies, as well as sections on standards and control mapping and risk assessment.
"The NCCoE was established specifically to help organizations solve real-world challenges, and this was one of particular concern to the health care community," NCCoE Director Donna Dodson said in a statement. "This guide can help providers protect critical patient information without getting in the way of delivering quality care."
The guidance reflects the tightrope that hospitals have to walk in implementing mobile EHR access. Protecting patient data is important, but the interface can't require too much of doctors or it won't be adopted -- doctors already complain that EHRs aren't easy to use and don't fit into their workflow. So, for instance, NCCoE proposes a five-step login process to mobile EHR tools, but only the first and last step require the user to enter a password: logging into the mobile device and logging into the EHR. The rest of the authentication happens automatically using certificates and media access controls.
NCCoE created a "virtual environment that simulates interaction among mobile devices and an electronic health record system supported by the IT infrastructure of a medical organization" according to a statement. In this environment, they ran tests for a wide range of compromise scenarios: a lost device being found by a malicious party, a phishing scheme, an attacker gaining access to a doctor's user name and password, or an attacker gaining physical access to the hospital's data center, to name a few. Protections were put in place for all of these possibilities. They also made sure that the physician in the virtual environment could still do what they needed to do, like refer a patient to another physician or send an eRx to a local pharmacy.
"We know from working with them that health care organizations want to protect their clients' personal information and themselves from the high costs associated with breaches," Dodson said. "This guide can be an important tool among the many they use to reduce risk."
The draft guidance will be seeking comments through September 25, 2015. It's the first in a new series of publications from NIST, each of which is designed to help companies protect their information systems.