The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) released a draft guide that demonstrates how health care providers can make mobile devices, such as smartphones and tablets, more secure, in order to better protect patient information while still taking advances of electronic communications technology.
According to the draft guide titled Securing Electronic Records on Mobile Devices “the use of mobile devices to store, access, and transmit electronic health care records is outpacing the privacy and security protection on those devices.” The draft guide:
- maps security characteristics to standards and best practices from NIST and other standards organizations, and to the HIPAA Security Rules
- provides a detailed architecture and capabilities that address security controls
- facilitates ease of use through transparent, automated configuration of security controls
- addresses the need for different types of implementation, whether in-house or outsourced
- provides guidance for implementers and security engineers
Further, the NIST stresses the importance of conducting risk assessments and the importance of the risk management process by stating:
Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of your businesses processes and technologies, the threat landscape, and the data itself. The guide describes our approach to risk assessment. We recommend that organizations implement a continuous risk management process as a starting point to adopting this or other approaches that will increase the security of electronic health records.
According to NCCoE Director Donna Dodson, “healthcare organizations want to protect their clients’ personal information and themselves from the high costs associated with breaches. This guide can be an important tool among the many to reduce risk.”
Mobile device usage and mobile device thefts are on the rise and are outpacing privacy and security protection on those devices. Because of this we have added a sample Bring Your Own Device (BYOD) Policy and User Agreement to our forms section and we recently addressed mobile device security in our multi-part HIPAA article series. If you haven’t already, we highly recommend you conduct a thorough risk assessment before moving forward with mobile devices and review or develop your corresponding policies and procedures.