Extension of Public Comment Period Speaks to Impact of NIST’s Healthcare-Focused Cybersecurity Guide
It’s no surprise that the National Cybersecurity Center of
Excellence (NCCOE) has extended the public comment period for one of its newest
guides, “Securing Electronic Health Records on Mobile Devices.” The five-part
publication is one of the most detailed and potentially powerful resources that
the NCCOE has released in recent memory, and it serves as one of the most
comprehensive manuals to address the protection of patient information records,
with a particular focus on securing mobile technology.
When the NCCOE released a draft in July, it planned to keep the comment period
open until September 25. Recently, however, the NCCOE has determined to extend
the public comment period until October 23, citing “stakeholder feedback” in
its released statement.
The publication is the result of a collaborative effort between the NCCOE, the
National Institute of Standards and Technology (NIST), and an array of
cybersecurity professionals, academics, and healthcare professionals. It has
been incorporated into NIST’s “Special Publications” 1800 series (SP 1800),
which according to the NIST website “targets specific cybersecurity challenges”
and provides “practical, user-friendly guides to facilitate adoption of
standards-based approaches to cybersecurity.”
Why This Guide Is So Special
“Securing Electronic Health Records on Mobile Devices” can be accessed in five
downloadable sections on the NCCOE and NIST websites, respectively, which is
typical of these collaborative projects.
But what makes this guide unique, and particularly powerful, is the amount of
detail included in each of the four main volumes:
SP 1800-1b: Approach, Architecture, and Security Characteristics
SP 1800-1c: How-To Guide
SP 1800-1d: Standards and Controls Mapping
SP 1800-1e: Risk Assessment and Outcomes
Each features step-by-step guidance for both conceptualizing
the relevant information architecture and subsequently designing a standardized
security framework. This is not a strictly theoretical approach to advising
healthcare businesses. It is a technical, factual, and systematic plan for
creating an information technology (IT) framework—from recommended Hostnames
and Bind DNS installation (example code included), right down to the Security
Onion setup (and all the way to Post-Installation configuration settings recommendations).
If your eyes just glazed over, then the “SP 1800-1c: How-To Guide,” probably
will not be your favorite thing to read. But this 91-page practice guide,
written for health IT security engineers, serves as one example of the type of
precise guidance offered to healthcare providers to help them solve very
technological (and very real) problems.
In producing this work, NIST and NCCOE have recognized that healthcare
providers and their staffs “increasingly use mobile devices to store, process, and
transmit patient information”. As part of its methodology, NIST and NCCOE
actually created an environment to simulate the “interaction among mobile
devices and an EHR system supported by the IT infrastructure of a medical
organization.” This allowed the
organizations the ability to mimic the same kinds of security risks and
challenges faced by healthcare providers in the real world.
The result is a guide that allows for: risk assessment (“to fully
understand…potential cybersecurity vulnerabilities”); mapping security
characteristics (“to standards and best practices,” as found in SP 1800-d); and
practical, physical implementation (including hardware and software
recommendations, “a how-to for implementers and security engineers seeking to
recreate our reference design”).
If you run a healthcare organization responsible for the security and privacy
of patient data, this guide is the year’s most important must-read.
At the end of the day, this five-part manual offers to HIPAA-covered entities a
standardized playbook from which they can re-engineer their current IT systems.
As the Executive Summary explains, “Organizations can use some, or all of the
guide to help them implement relevant standards and best practices in the NIST
Framework for Improving Critical Infrastructure Cybersecurity and Health
Insurance Portability and Accountability Act (HIPAA) Security Rule.”
Once the extended comments period ends, healthcare providers should tune back
in to see what will likely be a number of helpful insights, hacks and updates
to the guide from industry analysts and experts.