NIST on Protecting Mobile Health DataExpert Offers Insights on Critical Steps to Take
New draft guidance from the National Institute of Standards and Technology instructs healthcare providers on the critical steps they should take to secure electronic health records on mobile devices, says Nate Lesser, who helped prepare the document.
"What we published is guidance to help [healthcare] organizations think about how to evaluate and manage their risks, and then to help them implement security technologies that might not be the core function of what an organization does," he says in an interview with Information Security Media Group.
"This guidance attempts to provide a set of real-world examples on how to implement security standards and best practices in healthcare environments," says Lesser, deputy director of the National Cybersecurity Center of Excellence at NIST.
The guide aims to address a significant problem in the healthcare sector: About a third of the incidents that appear on the Department of Health and Human Services' "wall of shame" website listing health data breaches affecting 500 or more individuals involve lost or stolen unencrypted laptop computers or other portable devices.
But beyond encrypting data stored on laptops, tablets and smartphones to prevent potential breaches, healthcare providers also need to take a variety of other critical steps to protect patient data stored on mobile devices, he says.
Those steps, which are detailed in the guide, include conducting a risk analysis that's geared to the size and type of a healthcare organization, as well as the kind of patient population the entity serves, he points out.
"There are some major threats to confidentiality, integrity and availability of patient information that are specific to the use of mobile devices in healthcare environments," he notes. Besides loss or theft of devices, those threats include "a user who walks away from a logged-on mobile device; a user who downloads a virus or malware onto the device; or a user who tries to use an unsecured wireless network," he says.
"The guide is about enforcing policies on mobile devices ... such as enforcing the mechanisms that allow a device to connect into an electronic health record system to ensure that those who are making changes to those records or are seeing patient information are authorized to do so."
In the interview, Lesser also discusses:
- How mobile device security concerns in the healthcare sector compare to those in other industries;
- Involvement by HHS' Office for Civil Rights and the Office of the National Coordinator for Health IT in the creation of the NIST draft guide;
- A separate NIST guide that's being finalized for medical device cybersecurity, and other upcoming NIST guidance planned for other industries, such as the energy sector.
NIST is accepting comments on the draft guidance until Sept. 25, after which, it will unveil a final version.
NIST's National Cybersecurity Center of Excellence, where Lesser serves as deputy director, collaborates with members of industry, government and academia to build open, standards-based, modular and practical example reference designs that address cybersecurity challenges in key economic sectors. Lesser previously managed a team of cybersecurity engineers at Booz Allen Hamilton and was a Presidential Management Fellow at the Office of Management and Budget.