Categories
Law Privacy

NIST publishes guidance for securing health records on mobile devices

How can health care providers secure mobile devices that physicians and other professionals use to send information about patients?

That’s the question at the center of a so-called practice guide published recently in draft form by the National Institute for Standards and Technology (NIST). Between now and Sept. 25, NIST seeks public comment on the guide, which illustrates how providers can assess cyber threats and secure electronic health records on smartphones, tablets and laptops, as well as the servers to which such equipment connects.

The effort reflects the reality that electronic health records, which the federal Health Information Technology for Economic and Clinical Health Act (HITECH Act) aims to spur adoption and use of, can be accessed in ways that compromise both privacy and patient care. According to NIST:

“Cost and care efficiencies, as well as incentives from the HITECH Act, have prompted health care groups to rapidly adopt electronic health record systems. Unfortunately, organizations have not adopted security measures at the same pace. Attackers are aware of these vulnerabilities and are deploying increasingly sophisticated means to exploit information systems and devices.”

At issue is the susceptibility of electronic health information to intrusion. NIST cites a report published in May by the Ponemon Institute that found malicious hacks on health care organizations now outnumber accidental breaches, and that the number of criminal attacks grew 125% in the last five years.

As the law firm King & Spalding notes, so far this summer the U.S. Department of Health and Human Services has logged 34 breaches of protected health information that each affected 500 or more people. Incidents include an attack on a server that held records for roughly 390,000 people at Medical Informatics Engineering, a software company in Indiana; the theft of a desktop computer containing health records for more than 12,500 people at Montefiore Medical Center in New York; and a cyberattack in June on UCLA Health System, where intruders made off with information for as many as 4.5 million people.

The practice guide proposed by NIST addresses such scenarios as the theft or loss of devices that had access to electronic health records; attacks on the networks of health care organizations, whether by hackers or intruders who gain access to the premises; installation of malware; or users who walk away while logged in to devices.

The guide, which is voluntary for stakeholders, mirrors a framework that NIST is developing pursuant to an order for reducing cyber risks to infrastructure that President Obama issued in February 2013. Federal law requires providers to assess risks to electronic health information regularly.

Categories
Tech

All things mobile?

With my MacBook in the shop this week I’ve used my iPhone exclusively for all things digital. That includes paying bills, refilling a prescription; purchasing tickets to a concert and typing posts such as this one.

“This is one of those times when an iPad might get you most of what you need,” my significant other told me. Overall the phone is fine. Still, I’m struck by the tasks that seemingly ought to be mobile yet for whatever reason require a workaround.

For example, at Ticketfly, an online merchant that sells what the first part of its name suggests, my attempt to purchase one ticket to a show this September ended in what the site termed a server error. Ticketfly suggested a phone call to complete my order. 

Walgreens asked me if I would like to purchase a membership in a program for discounts on drugs. Intrigued, I clicked on a PDF file of a brochure that described the program. But the site failed to deliver the file despite my trying at least three times to open it.

I also tried to pay my Visa bill at Bank of America. The bank issued me a new card recently. That required me to connect the card anew to my bank account. But the site could not direct me to the page where you enter your banking details. I later completed the setup from a desktop Mac at the library.