Healthcare providers are breaking free from the nursing station and using mobile devices to receive, store, process and transmit patient clinical information from where they happen to be located, when the need presents itself. Sometimes, this is in a cafe over lunch with colleagues or while waiting for their child's baseball game to begin on a Saturday morning.

Along with the convenience, mobile devices used by many of today's professionals present vulnerabilities to the healthcare organization's network, and ultimately to patients. Too often these smartphones, tablets and other devices are being used by clinicians for healthcare delivery before they have implemented safeguards for privacy and security — and this has led to breaches of personal health information.

The National Institute of Standards and Technology (NIST) has stepped forward to help healthcare organizations improve their security of electronic health records (EHRs) on these ubiquitous tools that facilitate important care processes. Their newly released Cybersecurity Practice Guide provides a modular, end-to-end reference design that can be tailored and implemented by healthcare organizations of varying sizes and information technology sophistication.

It guides information technology staff and leadership, using open source and commercially available tools and technologies that are consistent with cybersecurity standards, so those providing care can more securely share patient information.

The guide was built around an environment that simulates integration among mobile devices and an EHR system supported by the IT infrastructure of a medical organization. It walks users through the process of implementing relevant standards and best practices to help doctors, nurses and other caregivers use mobile devices in conjunction with an EHR.

The centerpiece is a hypothetical primary care physician who uses her mobile device to perform reoccurring activities such as sending a referral (e.g., clinical information) to another physician, or sending an electronic prescription to a pharmacy. It highlights the characteristics and capabilities that an organization's security experts can use to identify similar standards-based products that can be integrated quickly and cost-effectively with a healthcare provider's existing tools and infrastructure

The guide demonstrates how existing technologies can be leveraged to meet a healthcare organization's need to better protect the information in EHR systems. And, how security engineers and IT professionals, using commercially available and open-source tools and technologies, can facilitate more secure exchange of patient health records with mobile devices by those in their healthcare organization.

In addition, it:

• maps security characteristics to standards and best practices, including the HIPAA Security Rule
• provides a detailed architecture and capabilities that address security controls
• facilitates ease of use through automated configuration of security controls
• addresses the need for different types of implementation, whether in-house or outsourced
• provides a how-to for implementers and security engineers seeking to recreate the reference design in their own organization

Perhaps most importantly, the Cybersecurity Practice Guide includes step-by-step instructions for assessing and identifying both adversarial (hackers) and nonadversarial (accidental) risk. It takes healthcare leaders through the process of ensuring their organization has implemented a comprehensive and continuous risk management strategy to increase the security of electronic health records.

The complete document is available at:

• SP 1800-1a: Executive Summary
• SP 1800-1b: Approach, Architecture, and Security Characteristics
• SP 1800-1c: How-To Guide
• SP 1800-1d: Standards and Controls Mapping
• SP 1800-1e: Risk Assessment and Outcomes