July 28, 2015
SP 1800-1
DRAFT Securing Electronic Health Records on Mobile Devices
NIST announces the public comment period for
Draft NIST Cybersecurity Practice Guide SP 1800-1, Securing
Electronic Health Records on Mobile Devices.
The use of mobile devices in health care sometimes outpaces the privacy
and security protections on those devices. Stolen personal information
can have negative financial impacts, but stolen medical information cuts
to the very core of personal privacy. Medical identity theft already
costs billions of dollars each year, and altered medical information can
put a person’s health at risk through misdiagnosis, delayed treatment,
or incorrect prescriptions.
Cybersecurity experts at the National
Cybersecurity Center of Excellence (NCCoE) collaborated with health
care industry leaders and technology vendors to develop an example
solution to show health care organizations how they can secure
electronic health records on mobile devices. The guide provides IT
implementers and security engineers with a detailed architecture so that
they can recreate the security characteristics of the example solution
with the same or similar technologies. Our solution is guided by
relevant standards and best practices from NIST and others, including
those in the Health Insurance Portability and Accountability Act (HIPAA)
Security Rule.
Please submit comments by September 25, 2015. Comments
will be made public after review and can be submitted anonymously.
Submit comments online or via email to
HIT_NCCoE@nist.gov.
Draft SP 1800-1a: Executive Summary Archiv
Executive Summary • Patient information in electronic health records needs to be protected so it is not exploited to endanger patient health or compromise identity and privacy.‡ • If not protected, patient information collected, stored, processed, and transmitted on mobile devices is especially vulnerable to attack.† • The National Cybersecurity Center of Excellence (NCCoE) developed an example solution to this problem using commercially available products. • The example solution is packaged as a “How To” guide, providing organizations with the detailed instructions to recreate our example. The NCCoE’s approach secures patient information when practitioners access it with mobile devices. • Organizations can use some, or all, of the guide to help them implement relevant standards and best practices in the NIST Framework for Improving Critical Infrastructure Cybersecurity and Health Insurance Portability and Accountability Act (HIPAA) Security Rule. |