Security Recommendations for Mobile Health Apps
Expanded use of Electronic Health Records (EHRs) is an integral component of the ongoing modernization of the U.S. health care system through digitalization. Among the anticipated advantages of using EHRs are improvements in patient care (e.g., through faster access to relevant information and consequently improved care coordination), increased patient engagement, as well as reduction of medical errors and cost savings. On the other hand, implementing EHRs in a sustainable and legally compliant way requires upfront investment in hardware, software, training, workflow restructuring, as well as management of risks unique to electronic records, such as vulnerability to malicious interference. When EHRs are combined with mobile platforms, the cybersecurity risks multiply. Addressing this latest challenge can be daunting, both for medical practices and EHR product providers.
To help defuse these concerns, the U.S. National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) recently published a comprehensive guide entitled “Securing Electronic Health Records on Mobile Devices.” One of the goals in preparing this document was to demonstrate, using detailed examples and already-available standards and technologies, the ways to ensure cybersecurity of patients’ health records in accordance with the HIPAA Security Rule. The guide is intended to facilitate the adoption of best cybersecurity practices but it is not legally binding, and its use is voluntary. Nevertheless, the guide encourages organizations to consider the presented worked-out designs, which rely both on commercial products and open-source solutions.
The guide adopts, and stresses throughout, a risk-based approach to security. A structured, methodical risk assessment should ideally be established before health care providers start using mobile devices in a given health care practice, and it should be continuous in nature, with periodic review and reassessment of the risks. This change in attitude might be one of the more important barriers for health care organizations to overcome, since cybersecurity has often been an afterthought, which has resulted in an increasing number of data breaches and subsequent legal and financial repercussions.
NCCoE and NIST are inviting businesses to provide feedback to their practice guide, especially on its implementation in the real world.