Electronic Health Records on Mobile Devices

Stolen personal information can have negative financial impacts but stolen medical information cuts to the very core of personal privacy. Medical identity theft already costs billions of dollars each year and altered medical information can put a person’s health at risk through misdiagnosis, delayed treatment, or incorrect prescriptions. Yet, the use of mobile devices to store, access, and transmit electronic healthcare records is outpacing the privacy and security protections on those devices.

A platform for healthcare providers to securely document, maintain, and exchange electronic patient records among mobile devices.

Cybersecurity experts at the NCCoE collaborated with healthcare industry and technology vendors to develop an example solution to show HDOs how they can secure electronic health records on mobile devices. The example solution is packaged as a “How To” guide, providing organizations with the detailed instructions to recreate our example.
Status: Finalized Practice Guide

The NCCoE released the NIST Cybersecurity Practice Guide, SP 1800-1, Securing Electronic Health Records on Mobile Devices. For ease of use, the guide is available to download or read in volumes.

Project Abstract

Healthcare providers increasingly use mobile devices to receive, store, process, and transmit patient clinical information. According to our own risk analysis, discussed here, and in the experience of many healthcare providers, mobile devices can introduce vulnerabilities in a healthcare organization’s networks.

This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design that can be tailored and implemented by healthcare organizations of varying sizes and information technology (IT) sophistication. Specifically, the guide shows how healthcare providers, using open-source and commercially available tools and technologies that are consistent with cybersecurity standards, can more securely share patient information among caregivers who are using mobile devices.

The scenario considered is that of a hypothetical primary care physician using her mobile device to perform recurring activities such as sending a referral (e.g., clinical information) to another physician, or sending an electronic prescription to a pharmacy.

According to our own risk analysis, discussed here, and in the experience of many healthcare providers, mobile devices can introduce vulnerabilities in a healthcare organization’s networks.

Join the Community of Interest

A Community of Interest (COI) is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives to guide NCCoE projects. COIs often include experts, innovators, and everyday users of cybersecurity and privacy technologies. Members typically meet monthly by teleconference. Share your expertise and consider becoming a member of this project's COI.

Request to join
Employee speaking on video call with colleagues on online briefing with laptop at home

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.