NIST Mobile Device Report: NIST LogoThe National Institute of Standards and Technology (NIST) has released a detailed report on the risks of accessing protected health data on mobile devices and ways to prevent data loss.

The NIST report Securing Electronic Records on Mobile Devices, put together by the Cybersecurity Center of Excellence, details how health organizations can use commercially available and open source technology to facilitate more secure access of health records on mobile devices.

One look at the US Department of Health and Human Services’ list of health IT breaches, a list described by some observers as the “Wall of Shame”, highlights the importance and timeliness of this type of guidance. In June and July, there were more than 30 reported breaches affecting in total nearly five million patients’ health records. The biggest was the well publicized cyberattack on UCLA in June. According to the NIST report, costs related to health data breaches reach $12 billion per year.

This guide is really intended for health IT professionals and leaders of healthcare organizations, such as chief technology officers. The report does highlight several vulnerabilities related to how users (e.g. doctors, nurses, etc) access health records on their mobile devices. They include:

  • Losing a device or having one stolen
  • Logging in to a device and then walk away (anyone ever walk away from the nursing station with the computer still logged in or leave their logged in computer unattended at a coffee shop?)
  • Downloading viruses or malware, which I’d imagine is a particular issue in the more open Android ecosystem
  • Accessing health data via an unsecured network…like maybe at the hotel you’re staying at during a conference
  • Weak passwords – if your password is on this list, change it now

Some observers are calling for more attention to these user-related factors. They highlight issues such as how clinicians may copy health data into other apps on their mobile devices. They also note that the report doesn’t focus enough on factors like the use of EMR apps, the rapid development pace of mobile operating systems & software, and high rates of device turnover.

There are a number of other areas this guide addresses related to system architecture, the more technical behind-the-scenes stuff. It then describes in detail a framework for designing a more secure system that enables access of health records via mobile devices. The report also walks through several common scenarios (i.e. lost devices, etc) and how IT professionals can intervene to prevent data loss.

For clinicians, it should serve as a reminder of the ways in which we may unwittingly open the door to people with malicious intent and some of the simple things that can be done to save our IT colleagues from some serious headaches.

Ed. Note: If you’re an IT professional, please feel free to share your comments below – especially tips on how clinicians can help mitigate this problem or “things not to do” stories you encountered. We’ll add useful comments to the body of the post.