NIST Guide for EHRs on Mobile Devices – Part 1

Posted by ByteGrid Admin on August 24, 2015


At ByteGrid, we’re working constantly to make sure our HIPAA compliant cloud systems continue to meet current industry standards.

On July 28th, NIST released a draft of their Practice Guide, “Securing Electronic Health Records on Mobile Devices.”  The guide comprises 5 volumes, and is intended to take a modular format that allows it to be deployed as a whole, or in parts.  In this blog, we’ll give you an overview of the guidance.   Later, we’ll show you the guide’s specifics for cloud-based EHRs.

How the guide was developed

NIST’s guide is based on a simulated healthcare environment they built in their lab, in which a mobile device was involved in each EHR transaction.  Based on their experience with this simulation, NIST developed architecture and configuration recommendations for healthcare providers.

Risk management is emphasized

The guide repeatedly mentions security roundtable comments that “many health care providers are using mobile devices in health care delivery before they have appropriate privacy and security protections in place.”  It shouldn’t surprise you to learn that the best place to start is with a risk assessment.  Indeed, NIST‘s activities in preparation of the guide began with a risk assessment for their test environment.  

What are the risks?

Like NIST, we expect a HIPAA risk assessment to identify threats to data confidentiality, data integrity and system and data availability.  In their assessment, NIST’s team found these main threat sources:

  • Lost/stolen devices
  • Unattended sessions
  • Viruses or other malware
  • Use of Wi-Fi networks that aren’t secure
  • Inadequate access control and/or enforcement
  • Poor change management and configuration management
  • Inadequate data retention, backup, and recovery

If any of this looks familiar, it might be because you’ve read here about data breaches caused by many of these exact threats.  At ByteGrid, we’ve always emphasized the importance of starting with a risk assessment.  This practice helps organizations ensure that they aren’t guilty of putting weak systems into use.  If you partner with ByteGrid for your cloud-based system, your risk assessment will have its foundation in place, thanks to our rigorous, regularly updated facility risk assessment.  Our compliance staff can help you complete this by addressing your system-specific risks.  

If you’re implementing a cloud-based EHR, ByteGrid is here to help.  Contact us today and get started with HIPAA compliant cloud hosting.