Categories
Law Privacy

NIST publishes guidance for securing health records on mobile devices

How can health care providers secure mobile devices that physicians and other professionals use to send information about patients?

That’s the question at the center of a so-called practice guide published recently in draft form by the National Institute for Standards and Technology (NIST). Between now and Sept. 25, NIST seeks public comment on the guide, which illustrates how providers can assess cyber threats and secure electronic health records on smartphones, tablets and laptops, as well as the servers to which such equipment connects.

The effort reflects the reality that electronic health records, which the federal Health Information Technology for Economic and Clinical Health Act (HITECH Act) aims to spur adoption and use of, can be accessed in ways that compromise both privacy and patient care. According to NIST:

“Cost and care efficiencies, as well as incentives from the HITECH Act, have prompted health care groups to rapidly adopt electronic health record systems. Unfortunately, organizations have not adopted security measures at the same pace. Attackers are aware of these vulnerabilities and are deploying increasingly sophisticated means to exploit information systems and devices.”

At issue is the susceptibility of electronic health information to intrusion. NIST cites a report published in May by the Ponemon Institute that found malicious hacks on health care organizations now outnumber accidental breaches, and that the number of criminal attacks grew 125% in the last five years.

As the law firm King & Spalding notes, so far this summer the U.S. Department of Health and Human Services has logged 34 breaches of protected health information that each affected 500 or more people. Incidents include an attack on a server that held records for roughly 390,000 people at Medical Informatics Engineering, a software company in Indiana; the theft of a desktop computer containing health records for more than 12,500 people at Montefiore Medical Center in New York; and a cyberattack in June on UCLA Health System, where intruders made off with information for as many as 4.5 million people.

The practice guide proposed by NIST addresses such scenarios as the theft or loss of devices that had access to electronic health records; attacks on the networks of health care organizations, whether by hackers or intruders who gain access to the premises; installation of malware; or users who walk away while logged in to devices.

The guide, which is voluntary for stakeholders, mirrors a framework that NIST is developing pursuant to an order for reducing cyber risks to infrastructure that President Obama issued in February 2013. Federal law requires providers to assess risks to electronic health information regularly.