Request Demo

Healthcare, NIST Cybersecurity Framework

Healthcare Mobile Device Security According to NIST and NCCoE

down-arrow


An article from HealthITSecurity detailed that NIST and the National Cybersecurity Center of Excellence (NCCoE) have released a guidance on how healthcare providers can make an effort to secure mobile devices in the healthcare industry. The securing Electronic Records on Mobile Devices guidance gives information for security practitioners, IT-focused professionals, and security engineers.

“Healthcare providers increasingly use mobile devices to store, process, and transmit patient information. When health information is stolen, inappropriately made public, or altered, healthcare organizations can face penalties and lose consumer trust, and patient care and safety may be compromised,” says the guidance text.

According to the article, "mobile device security is a top concern of healthcare providers when it comes to their mobile programs, according to a recent survey of 600 healthcare IT decision makers conducted by Vanson Bourne on behalf of mobile device management provider Jamf.

Despite their concern, a full 90 percent of respondents said their institution is implementing or planning to implement a mobile initiative. And nearly half plan to increase mobile device usage within the next two years.

The guide shows how healthcare providers, using open-source and commercially available tools and technologies, can more securely share patient information among caregivers who are using mobile devices. Specifically, the guide's security architecture provides a number of benefits to healthcare organizations. The security architecture maps to standards and best practices from NIST, including the NIST Cybersecurity Framework, and to the HIPAA Privacy and Security Rules. 

The guide was developed by industry and academic cybersecurity experts, with the input of healthcare providers who first identified the challenge. The center then invited technology providers with relevant commercial products to partner with NIST through cooperative research and development agreements and collected public feedback along the way.

The team at the NCCoE built a virtual environment that simulates interaction among mobile devices and an EHR system supported by the IT infrastructure of a medical organization. NCCoE was founded in  2012 by NIST, the state of Maryland, and Montgomery County, Maryland. 

The high-level abstract security architecture involves a multi-step information transfer process:

1) a physician uses a mobile device application to send a referral to another physician

2) the application sends the referral to a server running a certified EHR application

3) the server routes the referral to the referred physician, and 4) the referred physician uses a mobile device to receive the referral.

The architecture uses commercially available tools. When there were no commercial products to address specific needs, NIST and NCCoE researchers used open-source products. Commercial and open-source standards-based products are available and interoperable with commonly used IT infrastructure and investments.

The architecture has a modular design, allowing organizations to adopt as much or as little of the reference design as suits their needs."

The guidance noted that healthcare organizations regardless of size, location, etc. must "fully understand their potential cybersecurity risks, the bottom-line implications of those vulnerabilities, and the lengths that attackers will go to exploit vulnerabilities."

The guidance continued to give advice, including “Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of business processes and technologies, the threat landscape, and the data itself."

The guidance also said that the authors would "recommend that organizations implement a continuous risk management process as a starting point for adopting this or other approaches that will increase the security of EHRs. It is important for management to perform regular periodic risk review, as determined by the needs of the business."

NIST's Internet of Things (IoT) Framework draft is out and is readily available via the CyberStrong Platform. Use CyberStrong's Integrated Risk Management Platform to streamline compliance and risk projects, accurately map your risks across cloud, mobile, and other risk areas, regardless of complexity. CyberStrong is the most cost-competitive integrated risk management solution available, while also remaining robust enough to handle an exponential amount of company or supply chain data, and scalable across even hundreds (or thousands) of assessments. Learn more by scheduling a free demo, and experience automated intelligence cyber compliance and risk management.

You may also like

Why GRC Needs IRM
on August 7, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
SSP and POAM Guidance for DFARS ...
on July 24, 2019

Defense federal acquisition regulation supplement (DFARS) Compliance has been top of mind for Prime contractors as well as Department of Defense (DoD) suppliers since before the ...

Alison Furneaux
Integrated Risk Management Magic ...
on July 17, 2019

It has been roughly one year since Gartner released the 2018 Magic Quadrant for Integrated Risk Management, the first of its kind, and as of this week the second Integrated Risk ...

Alison Furneaux
"Glass-box" Solutions Are Critical ...
on July 11, 2019

With the likes of Equifax and Marriott, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad business ...

Reading Between the Lines of NIST ...
on July 9, 2019

On June 19th, the National Institute of Standards and Technology (NIST) released the much anticipated Rev 2 of SP 800-171 and the working draft of supplement SP 800-171B. As the ...

How We're Making DFARS Compliance ...
on July 2, 2019

With the Department of Defense (DoD) making DFARS compliance a requirement for all contractors doing business with the DoD, a great amount of stress has been put on DoD ...