NIST releases first-ever mobile device security guidelines

82-page how-to guide offers best practices for healthcare groups
By Erin McCann
11:00 AM
Share
Mobile devices

If you've been looking for any set of official guidelines for mobile device security or best practices on keeping medical data safe, there's finally some serious movement on that front – a standards handbook with reams of valuable insight on the topic.

The National Institute of Standards and Technology, the federal agency charged with developing tech standards, has unveiled its long-awaited mobile security guide, specifically written for safeguarding medical data.

The handbook – see below – currently in draft form is awaiting public comment. It offers healthcare organizations insight on how to bolster mHealth cybersecurity via open-source or commercial tools.

Securing Electronic Records on Mobile Devices, NIST officials point out, provides health IT professionals with "detailed architecture so that they can copy or recreate with different but similar technologies, the security characteristics of the guide." The guide also outlines NIST standards, best practices and other regulations to adhere to, such as HIPAA.

Among the myriad reasons for compiling such a guide, NIST officials point to a 2012 HHS roundtable on mobile devices, where participants underscored that "many healthcare providers are using mobile devices in healthcare delivery before they have appropriate privacy and security protections in place."

In fact, 90 percent of healthcare providers are currently utilizing mobile devices within their organizations.

"We know from working with them that healthcare organizations want to protect their clients' personal information and themselves from the high costs associated with breaches," said Donna Dodson, director of NIST's National Cybersecurity Center of Excellence, in a statement. "This guide can be an important tool among the many they use to reduce risk."

Included in the 82-page how-to guide, there's Bind DNS and DNSE installation and hardening tips step-by-step instructions and requirements, etc. There's Access Point advice, IPTables firewall how-tos. The guide also details back system best practices, configuration management specifications – including Puppet, production Web server, etc. It underlines intrusion detection systems, certification authority, host and mobile devices security, MDM enrollment and has an entire section on governance, risk and compliance.

NIST officials describe the new guidelines as including a "virtual environment that simulates interaction among mobile devices and an electronic health record system supported by the IT infrastructure of a medical organization."

In addition to the how-to handbook, the new NIST guidelines include a 16-page manual on relevant mobile device standards and controls mapping, specifically written for the healthcare industry. For each related technology, for instance, say key management, there’s a corresponding table of applicable standards and links to the standards.

The final piece of the guidelines delineates risk assessment and outcomes, based on the business workflow of a typical EHR user.