NIST Guide for EHRs on Mobile Devices – Part 2

Posted by Rebecca Santorios on January 7, 2016


ByteGrid is the leader in HIPAA compliant cloud hosting, and we’re always eager to see how we measure up to a new standard.

NIST’s draft Practice Guide, “Securing Electronic Health Records on Mobile Devices,” was released July 28th.  Though only a draft, we thought we’d take a look and see how it addressed HIPAA compliant cloud hosting.

For cloud-based systems, the guide includes a questionnaire for health care organizations to use when selecting a third party provider.  Naturally, we wanted to evaluate ByteGrid’s HIPAA compliant cloud solution against this questionnaire.  Since we’re EHNAC-accredited, we expected that we’d be able to give the most of the right responses, but we weren’t sure what to expect from a newly drafted guide.

Let’s take a look at how ByteGrid responds to the datacenter-supported questions.  The table below lists these, along with our response.  Next time, we’ll talk about some of system- or software-specific questions.

NIST Security Question

ByteGrid Response

Is the EHR system vendor willing to sign a comprehensive business service agreement?

ByteGrid signs meaningful BAAs and SLAs, specific to our customers' needs.  EHR vendors should make sure that their cloud hosting provider is willing to sign a BAA, as required by HIPAA regulations.

Is the EHR system vendor willing to confirm compliance with HIPAA Privacy and Security Rules, and willing to be audited, if requested?

ByteGrid is EHNAC-accredited and always audit-ready, in full support of cloud-based EHRs.

What measures are used to protect the data stored in the cloud?

ByteGrid has validated backup and disaster recovery procedures.  We're also ready to help validate your specific solution.

What measures are used to protect the data from loss, theft, and hacking?

ByteGrid’s datacenters are all protected with tiered physical security, are fully qualified and are subject to continuous monitoring.  We subject our systems to vulnerability and penetration testing to make sure they’re secure, and we also have validated backup/restore and disaster recovery procedures in place.

Does the system back up an exact copy of protect data? Are these backup files kept in a different location, well protected, and easily restored?

We offer off-site backup, and our backup and restoration procedures are validated.

Does the system encrypt the protected data while at rest?

We’ll put system-specific solutions in place, but disk encryption is a must for our HIPAA compliant cloud solutions.

What happens if the EHR system vendor goes out of business? Will all clinical data and information be retrievable?

We have detailed agreements in place with our regulated clients to ensure data availability.

Does the EHR system vendor have security procedures and policies for decommissioning used IT equipment and storage devices which contained or processed sensitive information?

We have documented decommissioning procedures to protect PHI.

How does the EHR system vendor identify, respond to, handle, and report suspected security incidents?

ByteGrid’s systems are continuously monitored, and we have documented procedures for identifying, handling, and reporting suspected security incidents.  We can help tie in your system for a complete solution.

Does the EHR system vendor offer the ability to activate emergency access to its information system in the event of a disaster?

ByteGrid has a validated disaster recovery program to help ensure system availability in an emergency.

Does the EHR system vendor have policies and procedures to identify the role of the individual responsible for accessing and activating emergency access settings, when necessary?

Our disaster recovery program is backed by documented policies and procedures with clear assignment of responsibilities, and we can put system-specific measures in place.

Is the EHR system designed to provide recovery from an emergency and resume normal operations and access to patient health information during a disaster?

ByteGrid can help qualify specific EHR system disaster recovery processes, to provide a complete, validated, and fully documented solution.

What is included in the customer support / IT support contract and relevant service level agreements?

At ByteGrid, our support staff is available 24/7. 

Can the EHR system vendor provide a written copy of their security and privacy policies and procedures (including disaster recovery)?

ByteGrid has documented procedures that have been proven over years of use and multiple audits.  We can help you develop your system-specific procedures for a comprehensive, end-to-end solution.

As you can see, ByteGrid’s compliant cloud meets existing requirements and new standards for cloud-based EHRs.   In our next post, we’ll show how we can help EHR vendors make sure that their piece is strong, too.  Together, we can create a best-in-class solution for web-based EHRs.

ByteGrid is the leader in HIPAA compliant cloud hosting.  Partner with us today to achieve a fully HIPAA compliant cloud system.