Member Article

It’s no surprise that the National Cybersecurity Center of Excellence (NCCOE) has extended the public comment period for one of its newest guides, “Securing Electronic Health Records on Mobile Devices.” The five-part publication is one of the most detailed and potentially powerful resources that the NCCOE has released in recent memory, and it serves as one of the most comprehensive manuals to address the protection of patient information records, with a particular focus on securing mobile technology.

When the NCCOE released a draft in July, it planned to keep the comment period open until September 25. Recently, however, the NCCOE has determined to extend the public comment period until October 23, citing “stakeholder feedback” in its released statement.

The publication is the result of a collaborative effort between the NCCOE, the National Institute of Standards and Technology (NIST), and an array of cybersecurity professionals, academics, and healthcare professionals. It has been incorporated into NIST’s “Special Publications” 1800 series (SP 1800), which according to the NIST website “targets specific cybersecurity challenges” and provides “practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity.”

Why This Guide Is So Special

“Securing Electronic Health Records on Mobile Devices” can be accessed in five downloadable sections on the NCCOE and NIST websites, respectively, which is typical of these collaborative projects.

But what makes this guide unique, and particularly powerful, is the amount of detail included in each of the four main volumes:

SP 1800-1b: Approach, Architecture, and Security Characteristics

SP 1800-1c: How-To Guide

SP 1800-1d: Standards and Controls Mapping

SP 1800-1e: Risk Assessment and Outcomes

Each features step-by-step guidance for both conceptualizing the relevant information architecture and subsequently designing a standardized security framework. This is not a strictly theoretical approach to advising healthcare businesses. It is a technical, factual, and systematic plan for creating an information technology (IT) framework—from recommended Hostnames and Bind DNS installation (example code included), right down to the Security Onion setup (and all the way to Post-Installation configuration settings recommendations).

If your eyes just glazed over, then the “SP 1800-1c: How-To Guide,” probably will not be your favorite thing to read. But this 91-page practice guide, written for health IT security engineers, serves as one example of the type of precise guidance offered to healthcare providers to help them solve very technological (and very real) problems. 

In producing this work, NIST and NCCOE have recognized that healthcare providers and their staffs “increasingly use mobile devices to store, process, and transmit patient information”. As part of its methodology, NIST and NCCOE actually created an environment to simulate the “interaction among mobile devices and an EHR system supported by the IT infrastructure of a medical organization.”  This allowed the organizations the ability to mimic the same kinds of security risks and challenges faced by healthcare providers in the real world.

The result is a guide that allows for: risk assessment (“to fully understand…potential cybersecurity vulnerabilities”); mapping security characteristics (“to standards and best practices,” as found in SP 1800-d); and practical, physical implementation (including hardware and software recommendations, “a how-to for implementers and security engineers seeking to recreate our reference design”).

If you run a healthcare organization responsible for the security and privacy of patient data, this guide is the year’s most important must-read.

At the end of the day, this five-part manual offers to HIPAA-covered entities a standardized playbook from which they can re-engineer their current IT systems. As the Executive Summary explains, “Organizations can use some, or all of the guide to help them implement relevant standards and best practices in the NIST Framework for Improving Critical Infrastructure Cybersecurity and Health Insurance Portability and Accountability Act (HIPAA) Security Rule.”

Once the extended comments period ends, healthcare providers should tune back in to see what will likely be a number of helpful insights, hacks and updates to the guide from industry analysts and experts.