Aug 21

National Cybersecurity Center of Excellence releases its first cybersecurity practice guide: “Securing Electronic Health Records on Mobile Devices.”

As we discussed during a recent webinar, Cybersecurity: A Mid-Year Legal Review, damaging health care data breaches are being reported with increasing frequency. Earlier this year, the FBI issued a private notice to the healthcare industry warning providers that their cybersecurity systems are lax compared to other sectors. And according to the U.S. Department of Health and Human Services, there have been over 1,100 separate breaches at organizations handling protected health data since 2009. As our personal health information becomes more digitized and accessible (for example, through mobile devices), effective data protection strategies and related risk assessments become increasingly important.

The National Institute of Standards and Technology (NIST) may provide some help to health care organizations seeking guidance on protecting electronic health care records (EHR). On July 23, 2015, the National Cybersecurity Center of Excellence (NCCoE), a division of NIST, released a draft cybersecurity guide, noting that “health records shared on mobile devices are especially vulnerable to attack” and that such records “can be exploited in ways that can endanger patient health as well as compromise identity and privacy.”

According to the NCCoE, the draft guide illustrates how health care providers can improve their cybersecurity architecture and the security of EHR and other personal health information accessed, stored, and shared via mobile devices. The NCCoE directs providers to commercially available and open-source products as a means for implementing the guide’s industry standards and best practices.

The draft guide also focuses on risk assessment methodologies and includes a security questionnaire (section 8) for health care organizations to consider when selecting a cloud-based EHR platform provider.   Finally, the draft guide provides useful information to assist health care organizations in evaluating the security of mobile devices connected to their secure information systems. The NCCoE is soliciting stakeholder comments on the draft guide until Sept. 25, 2015. Check here for instructions on how to provide comments.

Leave a Reply