With health care breaches constantly on the rise, increasing access to electronic health records (EHRs) from mobile devices, and more prevalent “shadow” cloud use, health care organizations are getting a bit of help from the National Institute of Standards and Technology (NIST) with a draft cybersecurity guide: “NIST is soliciting stakeholder comments due Sept. 25, 2015.
On July 23, the National Cybersecurity Center of Excellence (NCCoE), a division of NIST, released the draft guide, noting that “health records shared on mobile devices are especially vulnerable to attack” and such records “can be exploited in ways that can endanger patient health as well as compromise identity and privacy.” According to the NCCoE, the guide illustrates how health care providers can improve their cybersecurity posture and the security of patient information accessed, stored, and shared via mobile devices. The NCCoE directs providers to commercially-available and open-source products as a means for implementing the guide.
In part, the guide sets forth what NCCoE believes are industry standards and best practices, such as relevant NIST standards and the NIST Cybersecurity Framework, mapped to security controls and standards, including the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, ISO/IEC 27002, and SANS Institute Critical Security Controls. The guide is structured as a “How To” for Security Officers, engineers, and others responsible for information security within health care organizations and provides a detailed architecture that can be implemented through commercially available products.
Additionally, the guide contains an entire volume dedicated to risk assessments. With most HIPAA settlements involving electronic information (as well as most reported data breaches affecting 500 or more individuals), complete and accurate risk assessments are a cornerstone to ensuring the confidentiality, integrity, and availability of patient information. The guide walks through two different risk assessment methodologies for its use case, a valuable illustration for all HIPAA covered entities. Finally, the risk assessment volume includes a security questionnaire (section 8) for health care organizations to consider when selecting a cloud-based EHR provider.
As health care entities continue to evaluate the security posture of the mobile devices connected to their information systems, this guide may offer assistance. The NCCoE will accept public comment on the draft guide through Sept. 25, 2015. Interested stakeholders should take the opportunity to review the guide and provide feedback. Instructions on how to provide comments are available here.