August 10, 2020

Volume X, Number 223

August 10, 2020

Subscribe to Latest Legal News and Analysis

Comments Requested on Draft Guide on Securing Electronic Health Records on Mobile Devices

The National Cybersecurity Center of Excellence (“NCCoE”) has released a draft for public comment of the first guide in a new series of publications “that will show businesses and other organizations how to improve their cybersecurity using standards-based, commercially available or open-source tools.” The guide discusses how to secure electronic health records on mobile devices. “The draft guide was developed by industry and academic cybersecurity experts, with the input of health care providers who first identified the challenge.”

The “Securing Electronic Records on Mobile Devices” Practice Guide demonstrates how commercially available and open-source tools and technologies can help health care organizations that use mobile devices share patients’ health records more securely. The Practice Guide “provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide.”

The Practice Guide is made up of five volumes:

(1) Executive Summary;

(2) Approach, Architecture, and Security Characteristics, which describes what NCCoE built and why;

(3) How To Guide, which shows IT professionals and security engineers how to implement the “example solution for securing the transfer of electronic health records on mobile devices”;

(4) Standards and Controls Mapping, which lists the standards, best practices, and technologies used in the creation of the Practice Guide; and

(5) Risk Assessment and Outcomes, which describes the methodology used to conduct “the reference design system risk assessment, the results of that risk assessment, the intended outcomes of implementing the reference design, and the results of the reference design functional test.”

The Guide also recommends that providers assess risks and make decisions about how to mitigate risks on a continuous basis to account for the dynamic nature of business processes and technologies, the threat landscape, and the data itself.

Health care providers and app developers in this space may want to review and comment on the draft, since the final version is likely to become the industry standard.  The NCCoE requests that comments be sent to by September 25, 2015.

© 2020 Covington & Burling LLPNational Law Review, Volume V, Number 210


About this Author

Covington advises and represents pharmaceutical manufacturers, device manufacturers, hospitals, health plans, and other health care providers on issues involving reimbursement in the Medicare and Medicaid programs and issues of health information privacy.  Our broad practice and deep-rooted understanding of the structure and operations of federal and state reimbursement programs enable us to develop workable solutions to complex problems and to assist our clients in developing strategies that provide a competitive advantage, minimize risk, and optimize opportunities.  ...