The National Cybersecurity Center of Excellence (NCCoE), an agency established by the established in 2012 by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST), the state of Maryland, and Montgomery County, Md, has published a report detailing the risks of using mobile devices for maintaining electronic health records, along with guidelines for how health organizations can use commercially available and open source technology to facilitate more secure access of health records on mobile devices.
Securing Electronic Records on Mobile Devices provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from NIST and others, and to Health Insurance Portability and Accountability Act (HIPAA) rules. The guide takes into account the need for different types of implementation for different circumstances such as when cyber security is handled in-house or is outsourced.
“Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy,” notes a press release introducing the report. “Medical identity theft already costs billions of dollars each year, and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment or incorrect prescriptions. Yet, the use of mobile devices to store, access and transmit electronic health care records is outpacing the privacy and security protections on those devices.
The report uses a case study example to detail the various ways in which medical data can be better protected. “We considered a scenario in which a hypothetical primary care physician uses her mobile device to perform recurring activities such as sending a referral containing a patient’s clinical information to another physician, or sending an electronic prescription to a pharmacy,” the report explains. “At least one mobile device is used in every transaction, each of which interacts with an EHR system. When a physician uses a mobile device to add patient information into an electronic health record, the EHR system enables another physician to access the information through a mobile device, as well.