Guiding the Way to Protecting Medical Records on Mobile Devices

February 2017
Topics: Cybersecurity, Information Security, Public Health, Environment, Healthcare IT
Healthcare providers increasingly use mobile devices to store, process, and transmit patient information. These devices present unique cybersecurity vulnerabilities, but a new guide from NIST, published in partnership with MITRE, is designed to help.
Woman using a mobile tablet.

Medical identity theft costs billions of dollars each year, and altered medical information can put a person's health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions. When health information is stolen, inappropriately made public, or altered, healthcare organizations can face penalties and lose consumer trust. Patient care and safety may be compromised.

Yet the use of mobile devices to store, access, and transmit electronic healthcare records (EHRs) is outpacing privacy and security protections. That's why the National Cybersecurity Center of Excellence (NCCoE) and MITRE are working together through a public-private partnership to help industry protect your health-related information.

"If you’ve ever been to the doctor or admitted to the hospital, and someone came up to you with an iPad or other mobile device, this project should interest you," says MITRE’s Brian Barrios. "Protecting sensitive medical data, while at the same time allowing the flexibility and innovation created by using mobile devices, is increasingly key for patient and the medical community."

Introducing a Guide to Mobile Medical Device Cybersecurity

The National Cybersecurity FFRDC (NCF), which is operated by MITRE, recently collaborated to develop a security architecture that can secure EHRs on mobile devices as part of its work program at the NCCoE. The resulting guide for healthcare organizations focuses on using commercially available and open-source tools and technologies consistent with cybersecurity standards.

"This is a huge accomplishment for the NCCoE—we were thrilled to be part of the team," says Barrios, NCF portfolio director. "It was truly a collaborative effort. Healthcare providers first identified the challenge. Then industry, academia, and commercial vendors worked together to come up with a practical solution."

The Efficiency of Mobile with the Security of Standards-Based Products

The NCCoE released a draft of the Securing Electronic Records on Mobile Devices guide last year, inviting comment from the cyber community. The guide articulates a cyber architecture and seeks to help healthcare providers implement the safeguards.

The NCF played a key role in creating the guide, which:

  • maps security characteristics to standards and best practices from NIST and other standards organizations.
  • aligns with the Health Insurance Portability and Accountability Act (commonly known as HIPAA).
  • provides a detailed architecture and capabilities needed for security controls.
  • facilitates ease of use through automated configuration of security controls.
  • addresses the need for different types of implementation, whether in-house or outsourced.
  • provides a how-to for implementers and security engineers seeking to recreate the reference design.

The scenario shown in the guide starts with a hypothetical primary care physician using her mobile device. She uses it to perform recurring activities such as sending a referral (e.g., clinical information) to another physician or sending an electronic prescription to a pharmacy. While the security-process scenario uses a specific suite of products, the guide doesn't endorse any particular vendor.

Instead, the guide presents the characteristics and capabilities an organization’s security experts can use to identify similar standards-based products. Such products must integrate quickly and cost-effectively with a healthcare provider’s existing tools and infrastructure.

A Mix-and-Match Approach to Fit the Need

Organizations can use some or all of the guide to help them implement healthcare industry standards and best practices, as well as those in the NIST Framework for Improving Critical Infrastructure Cybersecurity. Commercial and open-source standards-based products, like the ones used for these projects, are easily available and work with most companies' IT infrastructure and investments.

"There are many barriers to adopting secure technologies," Barrios says, "but this architecture and guide for mobile medical device cybersecurity is a great step toward breaking them down."

He adds, "After all, as a patient you want to focus on getting well—not on whether the tablet with your medical records is secure."

—by Karen Fleer

Our collaboration with NIST is just the start. MITRE helps our federal sponsors confront additional challenges related to health and health information technology. Learn more about this work at HIMSS17, the world's largest gathering of health IT professionals.


Publication Search