NIST Draws up Guidelines for Protecting Medical Patient Data on Mobile Devices


The guidelines attempt to ensure doctors don't compromise patient data when they use smartphones to access electronic health records.

The federal government is attempting to ensure that doctors don't inadvertently compromise patient data when they use smartphones to access electronic health records. 

The National Institutes of Standards in Technology this week released a step-by-step guide for hospitals and IT professionals, listing ways to secure the connection between devices and electronic health records.

NIST is collecting public comment on this draft until Sept. 25, 2015.

"Doctors have been early adopters of mobile devices, and have been using them in any sort of fashion because they can make their lives easier" as they move from patient to patient, Nate Lesser, deputy director of NIST's National Cybersecurity Center of Excellence, told Nextgov. "The primary challenge that industry brought to us is a doctor using a mobile device to collect patient information and refer that information to another provider."

But mobile devices bring security risks, according to NIST. A doctor could lose a device that can access sensitive patient information. The device could be stolen. Or hackers might be able obtain credentials, posing as authorized users, among others.

Security techniques NIST outlined in the draft guidelines include using an open source intrusion detection technology, mobile-device management software that could let directors monitor and enforce their security policy and certification systems that can distinguish between "good" devices and intruders, Lesser said. 

The guidelines were developed in collaboration with cyber experts from the private sector and academia. NIST's National Cybersecurity Center of Excellence tested them in a laboratory designed to simulate the IT infrastructure of a hospital, reenacting scenarios such as "a physician using a mobile device and electronic health record application to send a prescription."

Lesser emphasized the guidelines are just the first step in creating standards and are intended to prompt hospitals and healthcare organizations to think more about the risks posed by mobile device use and choose a security system that works for them. 

For instance, Lesser said, "we happen to use an open source version of an intrusion detection system, but that doesn't mean you shouldn't consider going out and buying your intrusion detection system."

(Image via tandaV/