On July 22, the National Cybersecurity Center of Excellence (“NCCoE”), a U.S. government organization formed in 2012 within the National Institute of Standards and Technology (“NIST”), released a draft Cybersecurity Practice Guide pertaining specifically to the use of mobile devices to store, access and transmit electronic health records.  The draft Practice Guide is NCCoE’s first such publication in a special series, and, while it applies only to a narrow set of scenarios, it may shed light on how the organization will approach similar scenarios in the future. 

As medical records are increasingly digitized, providers of health IT products and services and medical providers who store sensitive patient health information present tempting targets for attackers.  Medical providers now regularly use mobile devices in their practices, but NIST notes that “the use of mobile devices to store, access and transmit electronic health care records is outpacing the privacy and security protections on those devices.”  The Department of Health and Human Services maintains a list of data breachesaffecting the health information of 500 or more individuals, and 1,283 such incidents have been reported since late 2009, including 41 in June and July alone. 

To address those challenges, the NCCoE draft Practice Guide describes an environment wherein an authorized user (such as a patient or health care provider) accesses sensitive patient health information from a secure server only after a series of security checks have been performed by the underlying hardware and software systems.  The draft Practice Guide then details several use cases and how the suggested solution mitigates the cybersecurity risk.  For example, if a doctor’s mobile device containing sensitive health information is stolen or lost, the solution NCCoE describes is configured to allow the remote deletion of that information.  In another use case, if an attacker gains access to a health provider’s internal network, the strategy described in the draft Practice Guide would help to limit the attacker’s access and any damage he or she might do.

NCCoE relies on close collaboration with industry to identify specific cybersecurity use cases and develop practical, repeatable solutions.  NCCoE then implements and tests the solutions in a “virtual environment” with independent evaluators.  These efforts result in NCCoE publishing NIST Cybersecurity Practice Guides (Special Publication series 1800), which include user-friendly information designed to facilitate immediate industry adoption.  The process is intended to complement NIST’s publication of more high-level frameworks, such as its 2014 Framework for Improving Critical Infrastructure Cybersecurity.  Like the NIST Framework, implementation of the Practice Guides is voluntary.

NCCoE is accepting public comments on the draft Practice Guide, and has requested that they be sent to HIT_NCCoE@nist.gov by September 25, 2015.  A template for comments is available at NCCoE’s website.