NIST Guide for EHRs on Mobile Devices – Part 3

Posted by Rebecca Santorios on January 7, 2016

NIST3_B_-03.jpgIn our last post, we talked about how well ByteGrid’s EHNAC-accredited systems responded to NIST’s assessment for cloud-based EHRs, as given in the draft version of their Practice Guide, “Securing Electronic Health Records on Mobile Devices.”

In this post, we’ll look at how ByteGrid can help EHR vendors align themselves with this guide, too.  The table below lists some of NIST’s questions, and some of our recommendations for compliant solutions.

NIST Security Question

ByteGrid Recommendation

If integration of the cloud-based EHR system to in-house applications is needed, what are the implementation procedures and techniques used? What security features protect the data communicated among different systems?

You’ll need a thorough analysis in order to make informed design and configuration decisions here.  We can help carry out an appropriate assessment to ensure the right security features are in place. 

Does the EHR system vendor restrict the type of mobile devices that can access the system?

The system should be validated for each permissible device type, and to show that it appropriately restricts access to other device types.

Are mobile devices subject to some kind of mobile device management control for enforcing device security compliance?

The system should authenticate each mobile device before allowing transactions to occur.  The system must restrict access to only permitted devices.

If a device is lost, stolen, or found to be hacked, are there any countermeasures in place to avoid protected data from becoming compromised?

The system should allow administrators to deactivate a device, so that it can no longer access the system.

Does the cloud-based EHR system require a user to be authenticated prior to obtaining access to patient health information?

The system must authenticate users before granting access.

What are the authentication mechanisms used for accessing the system?

The system should enforce multifactor authentication, for example, a combination of user ID, password, and token.

Are user IDs uniquely identifiable?

The system should enforce that each user ID is unique, and should prevent the deletion of user IDs to help prevent reuse of IDs.

If passwords are used, does the vendor enforce strong passwords and specify the lifecycle of the password?

The system should enforce strong passwords, for example, by restricting the use of common, easy-to-guess words, and by enforcing password length and complexity requirements.   The system should also enforce password aging restrictions.  The features can be made to be configurable by an administrator, as appropriate.

Does the system offer a role-based access control approach to restrict system access to authorized users to different data sources?

The system should restrict users' access to functionality based on their user role.

How does the network provide security for data in transmission?

We can help prepare an appropriate risk assessment for your system-specific solution.  Typically, we expect HIPAA compliant cloud solutions to minimally include data sharing within a secure VPN, and state-of-the-art encryption mechanisms.

Does the EHR vendor log all the authorized and unauthorized access sessions and offer auditing?

We expect a HIPAA compliant system to include tamper-resistant access logs.

Does the system have audit control mechanisms that can monitor, record, and/or examine information system activities that create, store, modify, and transmit patient health information?

Solutions will be system-specific, but HIPAA compliant software should include complete, tamper-resistant audit trails.

Does the system retain copies of its audit/access records?

HIPAA compliant software will include audit records that are capable of appropriate backup and archiving, and are tamper-resistant.

How often are new features released? How are they deployed?

We recommend that HIPAA compliant systems have a thorough patch management program in place.  ByteGrid's rigorous change control procedures can help support this.

When you partner with ByteGrid, you get more than an accredited HIPAA compliant datacenter; you get a compliance partner to help ensure that your system satisfies regulatory requirements and is aligned with current industry standards.  Contact us today to get started with HIPAA compliant cloud hosting.