Healthcare providers operating BYOD schemes, and those that supply Smartphones and other mobile devices to staff, are at risk of suffering a data breach if electronic health records on mobile devices are not appropriately secured. Mobile devices are convenient, are preferred by physicians for communication, and can improve efficiency and productivity; however, electronic health records on mobile devices must be secured. Worryingly, this is often not the case.
Government Concerned about the Mobile Device Security Risk
The federal government is concerned about the high risk of data exposure from using Smartphones and other portable electronic devices to access electronic health records. Hackers are now targeting healthcare providers for the highly valuable data they store on patients with alarming frequency.
Hackers are trying to gain access to EHRs, which can contain Social Security numbers in the millions, and if the personal data stored on patients is obtained, identities can be stolen, credit obtained and the thieves can commit insurance and Medicare fraud. Medical identity theft and fraud results in billions of dollars being lost every year.
While healthcare providers have implemented numerous controls to safeguard PHI stored on servers, desktop computers and in EHRs, the same stringent standards of data security are not always being applied to mobile devices. Many HIPAA-covered entities are unaware of the risks from healthcare Smartphone use, and consequently, they do not implement sufficient security controls to protect data stored on the devices, or accessible through them.
How to Secure Electronic Health Records on Mobile Devices
The National Institute of Standards in Technology (NIST) has taken action to address the issue of mobile device cybersecurity and has released a new set of guidelines for HIPAA covered entities to reduce the risk of a successful cyberattack being suffered.
NIST’s National Cybersecurity Center of Excellence (NCCoE) has been collecting cybersecurity data for three years in an effort to identify the most common security vulnerabilities on mobile devices, and after analyzing the data it has produced the new guidelines: “Securing Electronic Health Records on Mobile Devices.” They cover the basic elements of cybersecurity which must be applied in order to secure EHRs and health data stored on mobile phones and portable devices. The guidelines are based on the NIST Framework for Improving Critical Infrastructure Cybersecurity, and contain a set of step-by-step instructions that healthcare providers can follow to secure the devices they use.
The guidelines do not list the exact safeguards that each entity must use to secure devices, as this will depend on the infrastructure already in place; instead it lists a number of products and services which can be adopted to improve data security and protect patient privacy.
Comments Invited on Securing Electronic Health Records on Mobile Devices
A final version of the guidelines for securing electronic health records on mobile devices will be issued in the fall; however NIST decided to release the first draft to obtain comments from stakeholders, which will allow it to fine tune the publication. Healthcare providers are being encouraged to download the guidelines and submit comments before September 25, 2015.
For ease of use, and downloading, the guidelines have been split into sections, which can be downloaded separately.