NIST SPECIAL PUBLICATION 1800 -1 Securing Electronic Health Records on Mobile Devices Includes Executive Summary (A); Approach, Architecture, and Sec urity Characteristics (B), How -To Guides (C) , Standards and Controls Mapping (D), and Risk Assessment and Outcomes (E) Gavin O ’Brien Nate Lesser Brett Pleasant Sue Wang Kangmin Zheng Colin Bowers Kyle Kamke This publication is available free of charge from: https://doi.org/10.6028/NIST.SP .1800 -1 The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/hit -ehr-nist-sp1800 -1-draft.pdf NIST SPECIAL PUBLICATION 1800 -1 Securing Electro nic Health Records on Mobile Devices Includes Executive Summary (A); Approach, Architecture, an d Security Characteristics (B), How-To Guides (C) , Standards and Controls Mapping (D), and Risk Assessment and Security Outcomes (E) Gavin O’Brien Nate Lesser National Cybersecurity Center of Excellence Information Technology Laboratory Brett Pleasant Sue Wang Kangmin Zheng The MITRE Corporation McLean, VA Colin Bowers Kyle Kamke Ramparts, LLC Clarksville, MD July 2018 U.S. Department of Commerce Wilbu r Ross , Secretary National Institute of Standards and Technology Walter G. Copan , Under Secretary of Commer ce fo r Standards and Technology and Director NIST SPECIAL PUBLICATION 1800 -1A Securing Electronic Health Records on Mobile Devices Volume A: Executive Summary Gavin O ’Brien Nate Lesser National Cybersecurity Center of Excellence Information Technology Laboratory Brett Pleasant Sue Wang Kangmin Zheng The MITRE Corporation McLean, VA Colin Bowers Kyle Kamke Ramparts, LLC Clarksville, MD July 2018 This publication is available free of charge from: https://doi.org/10.6028/NIST.SP .1800 -1 The first draft of this publication is available free of charge from: https://www.nccoe.nist.gov/sites/default/files/library/sp1800/hit -ehr-nist-sp1800 -1-draft.pdf NIST SP 1800 -1A: Securing Electronic Health Records on Mobile Devices 1 This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.1800 -1 Executive Summary ▪ Patient information in electronic health records (EHRs) needs to be protected so it is not exploited to endanger patient health or c ompromise identity and privacy . ▪ If not protected, patient information collected, stored, processed, and transmitted on mobile devices is especially vulnerable to attack . ▪ The National Cybersecurity Center of Excellence (NCCoE) developed an example solution to this problem by using commercially available products. ▪ The example solution is des cribed in the “How -To” guide, which provides organizations with detailed instructions to re-create it. The NCCoE’s approach secures patient information when practitioners access it with mobile devices. ▪ Organizations can use some or all of the guide to help them implement relevant standards and best practices contained in the National Institute of Standards and Technology (NIST) Cybersecurity Framework and in the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. In areas where there are no standards, such as malware prevention and detection or antivirus , our solution uses best practices. CHALLENGE Healthcare providers increasingly use mobile devices to store, process, and transmit patient information. When health information is stolen , inappropriately made public, or altered, healthcare organizations can face penalties and lose consumer trust, and patient care and safety may be compromised. The NCCoE helps organizations implement safeguards to ensure the security of patient information when doctors, nurses, and other caregivers use mobil e devices in conjunction with an EHR system. In our lab at the NCC