The National Cybersecurity Center of Excellence (NCCoE) at the U.S. National Institute of Standards and Technology (NIST) just released a draft of its first cybersecurity practice guide, “Securing Electronic Health Records on Mobile Devices.” The document serves as a “how to guide” with a solution on how to secure PHI with ideas consistent with cybersecurity standards and best practices.
The value of PHI to cybercriminals just keeps going up, meaning that cybercriminals are out to exploit any weakness they can find. Forrester estimates that 78% of data breaches in the healthcare sector are due to lost or stolen devices. The NIST Guide examined the top security risks to electronic health records on mobile devices, listing weak passwords, network sniffing and stolen mobile devices as the top 3 risks.
The new NIST Guide, while offering some solutions, admits that its guide should serve as a starting point for tailoring and implementing solutions that best meet the needs of the organization in question.
Topics covered in the Guide include:
- The Approach, Architecture, and Security Characteristics to securing electronic health records on mobile devices, which includes a good section on risk assessment for mobile devices covering lost or stolen devices, user actions which put data at risk (leaving logged-on devices exposed, malware and use of insecure WiFi networks), and base security such as access control, data retention and recovery
- A detailed How-To Guide covering areas including network infrastructure, intrusion detection, identity and access control and more
- Standards and Control Mapping for security electronic health records
- Risk Assessments and Outcomes for securing electronic health records