NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Securing Electronic Health Records on Mobile Devices

Published

Author(s)

Gavin W. O'Brien, Nate V. Lesser, Brett Pleasant, Sue Wang, Kangmin Zheng, Colin Bowers, Kyle Kamke

Abstract

Health care providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many health care providers, mobile devices can present vulnerabilities in a health care organization's networks. At the 2012 Health and Human Services Mobile Devices Roundtable, participants stressed that mobile devices are being used by many providers for health care delivery before they have implemented safeguards for privacy and security. This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design that can be tailored and implemented by health care organizations of varying sizes and information technology sophistication. Specifically, the guide shows how health care providers, using open source and commercially available tools and technologies that are consistent with cybersecurity standards, can more securely share patient information among caregivers using mobile devices. The scenario considered is that of a hypothetical primary care physician using her mobile device to perform reoccurring activities such as sending a referral (e.g., clinicalinformation) to another physician, or sending an electronic prescription to a pharmacy. While the design was demonstrated with a certain suite of products, the guide does not endorse these products in particular. Instead, it presents the characteristics and capabilities that an organization's security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with a health care provider's existing tools and infrastructure.
Citation
Special Publication (NIST SP) - 1800-1
Report Number
1800-1
NIST Pub Series
Special Publication (NIST SP)
Pub Type
NIST Pubs

Download Paper

DOI Link

Keywords

breaches of patient health information, electronic health record security, electronic health record system, HIPAA, implement standards-based cybersecurity technologies, mobile device security standards, risk management, stolen health records, stolen medical information
Cybersecurity and privacy, Health IT and Internet of Things (IoT)

Citation

O'Brien, G. , Lesser, N. , Pleasant, B. , Wang, S. , Zheng, K. , Bowers, C. and Kamke, K. (2018), Securing Electronic Health Records on Mobile Devices, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.1800-1 (Accessed October 14, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created July 27, 2018, Updated January 27, 2020
Was this page helpful?