NIST Releases Draft Guidance To Bolster Security of Mobile Devices
July 27, 2015 in News
On Thursday, the National Institute of Standards and Technology released draft guidance to help health IT professionals bolster the security of smartphones and tablets used by health care providers, IDG News Service/Computer World reports.
Providers are increasingly using tablets and smartphones to complete tasks, such as:
- Accessing patient data;
- Transferring electronic health records; and
- Submitting electronic prescriptions.
However, the devices might not have security features stringent enough to protect patients’ private health data. NIST wrote in the guidance, “Mobile devices are being used by many providers for health care delivery before they have implemented safeguards for privacy and security” (O’Connor, IDG News Service/Computer World, 7/24).
Details of Guidance
NIST developed the guidance along with private-sector cybersecurity experts from academia and the private sector (Ravindranath, Nextgov, 7/24).
The guide includes detailed explanations of how health IT professionals can implement security procedures throughout an organization’s whole IT system. For example, the guide provides instructions on how to:
Connect Android and Apple mobile devices to commercial mobile device management cloud platforms;
- Create mobile device certificates;
- Set up Linux-based firewalls; and
- Set up other security technologies.
The guide does not provide specific product recommendations, but it does mention commonly used products that can be easily integrated into organizations’ current IT infrastructure.
In addition, the guide discusses which security risks pose the most significant threats to protecting patient data, including:
- Hackers exploiting weak system passwords; and
- Stolen devices.
Further, the guide includes an analysis of a mock IT system that was subjected to numerous security attacks and offers advice on how organizations can respond, such as by:
- Implementing access controls to prevent hackers from viewing patient information after they have breached the system; and
- Remotely wiping stolen mobile devices that have access to patient records.
According to IDG/Computer World, NIST will accept public comments on the guide until Sept. 25 (IDG News Service/Computer World, 7/24).