The NIST-led National Cybersecurity Center of Excellence has once again provided industry specific practical guidance with its guide to Securing Electronic Health Records on Mobile Devices. The new guide addresses real life use cases faced by health care practitioners and offers best practices for securing sensitive data.
With more and more healthcare electronic records being accessed through mobile devices, the guide hones in on the security measures needed to secure patient information that is accessed, stored, or transmitted over mobile device. The NCCoE continues to promote solutions that are standards-based and with their Securing Electronic Health Records on Mobile Devices practice guide, this is no exception. The NCCoE does a great job mapping the security characteristics around access control, audit and monitoring, device integration, person or entity authorization, and transmission security to both the Cybersecurity Framework and HIPAA.
After experiencing first-hand the approach NCCoE takes in helping industries enhance their cybersecurity maturity, I’m a big believer their approach is spot on. By translating the expertise of security vendors for users (doctors, nurses, care-givers, and health IT professionals) and deeply engaging with the user community, the NCCoE’s “How-to guide” results in quicker implementation, compliant implementation, and better security.
Beginning with real user feedback on the challenges associated within their community, the NCCOE delves deep into understanding the user persona, business challenges, and regulations unique to the sector. In this case the focus is on helping protect patient information that, if stolen, could lead to a loss in consumer trust, compromised care, and fines.
Not surprisingly, PKI technology is deeply rooted in the NCCoE’s practice guide to help provide strong authentication for both users and devices and to provide encryption via SSL for the transmission of health records. The guide states that “Using a Public Key Infrastructure approach is among the strongest methods to assure proper identity and access control for PHI”.
For many healthcare organizations, even the largest of ones, operating an internal Certificate Authority to manage their PKI deployments isn’t their core competence. The NCCoE guide addresses that reality in one of its simulated scenarios, where a radiology department decides to outsource complex components of their secure mobile device solution.
GlobalSign SaaS Certificate Authority is a great option for those looking for a low barrier to robust security technology without the heavy capital and operating expenses along with the in-depth PKI expertise needed to operate a CA.
In short- Healthcare IT security professionals, we are here to help! Read the NCCoE’s Guide, and talk to GlobalSign today to get started with managing your PKI security needs.