Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Comments Requested on Draft Guide for Keeping Medical Information Secure on Mobile Devices

Stethoscope
Credit: Africa Studio/Fotolia

Gaithersburg, MD — The National Cybersecurity Center of Excellence (NCCoE) has released a draft for public comment of the first guide in a new series of publications that will show businesses and other organizations how to improve their cybersecurity using standards-based, commercially available or open-source tools. The step-by-step guide released today demonstrates how health care providers can make mobile devices, such as smartphones and tablets, more secure, in order to better protect patient information and still take advantage of advances in communications technology.

The center was established in 2012 by the U.S. Commerce Department's National Institute of Standards and Technology (NIST), the state of Maryland, and Montgomery County, Md. Since that time, the center has been building partnerships with industry and academia to identify cybersecurity challenges and develop example solutions in industries such as health care, energy and financial services.

"The NCCoE was established specifically to help organizations solve real-world challenges, and this was one of particular concern to the health care community," says NCCoE Director Donna Dodson. "This guide can help providers protect critical patient information without getting in the way of delivering quality care."

Stolen personal information can have negative financial impacts, but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year, and altered medical information can put a person's health at risk through misdiagnosis, delayed treatment or incorrect prescriptions. Yet, the use of mobile devices to store, access and transmit electronic health care records is outpacing the privacy and security protections on those devices.

Securing Electronic Records on Mobile Devices provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide. It also maps to standards and best practices from NIST and others, and to Health Insurance Portability and Accountability Act (HIPAA) rules. The guide takes into account the need for different types of implementation for different circumstances such as when cyber security is handled in-house or is outsourced.

The draft guide was developed by industry and academic cybersecurity experts, with the input of health care providers who first identified the challenge. The center then invited technology providers with relevant commercial products to partner with NIST through cooperative research and development agreements and collected public feedback at multiple steps along the way.

The team at the NCCoE built a virtual environment that simulates interaction among mobile devices and an electronic health record system supported by the IT infrastructure of a medical organization. They developed a scenario in which a hypothetical primary care physician uses her mobile device to perform recurring activities such as sending a referral containing clinical information to another physician or sending an electronic prescription to a pharmacy. Then, using commercially available technologies, they built a solution to improve privacy and security protections.

"We know from working with them that health care organizations want to protect their clients' personal information and themselves from the high costs associated with breaches," said Dodson. "This guide can be an important tool among the many they use to reduce risk."

The draft guide is the first in the newly established 1800 series of NIST special publications, designed to help companies protect their information systems.

The NCCoE requests that comments on Securing Electronic Records on Mobile Devices be sent to HIT_NCCoE [at] nist.gov (HIT_NCCoE[at]nist[dot]gov) by September 25, 2015. The draft document in five parts, a web form and a template for comments are available at https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices.

As a non-regulatory agency of the U.S. Department of Commerce, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. To learn more about NIST, visit www.nist.gov.

Released July 23, 2015, Updated January 30, 2023