Securing Electronic Medical Records on Mobile Devices

The National Institute of Standards in Technology (NIST) plans to publish a first-of-its-kind guide which demonstrates ways that healthcare providers can more securely share patient information and electronic records using mobile electronic devices. The guide, “Securing Electronic Records on Mobile Devices,” is designed to help providers implement relevant standards and best practices in compliance with standards organizations and the HIPAA Security Rule.

Given that healthcare providers today increasingly use mobile devices to store and transmit patient data, a user’s failure to implement appropriate authentication or data encryption creates an increased risk of security breaches and medical identity theft. Issues surrounding mobile devices are among the most common HIPAA compliance issues. As a result, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) recommends that Covered Entities implement a mobile device-specific policy/procedure and that workforce members receive related training.

Cybersecurity experts and healthcare providers collaborated to design the practice guide, which has five volumes: (1) Executive Summary; (2) Approach, Architecture, and Security Characteristics; (3) How To Guides; (4) Standards and Controls Mapping (listing of standards, best practices, and technologies used to create the guide); and (5) Risk Assessment and Outcomes. The practice guide advises healthcare providers on how to quickly and efficiently integrate standards-based, commercially available products into their existing framework. 

The guide is open for public comment through September 25, 2015. We will continue to monitor and provide updates as they are made available. In the meantime, please contact Dan Ferhat (ferhatd@whiteandwilliams.com; 215.864.6297) for additional information.