The National Cybersecurity Center of Excellence (“NCCoE”) has released a draft for public comment of the first guide in a new series of publications “that will show businesses and other organizations how to improve their cybersecurity using standards-based, commercially available or open-source tools.” The guide discusses how to secure electronic health records on mobile devices. “The draft guide was developed by industry and academic cybersecurity experts, with the input of health care providers who first identified the challenge.”

The “Securing Electronic Records on Mobile Devices” Practice Guide demonstrates how commercially available and open-source tools and technologies can help health care organizations that use mobile devices share patients’ health records more securely. The Practice Guide “provides IT implementers and security engineers with a detailed architecture so that they can copy, or recreate with different but similar technologies, the security characteristics of the guide.”

The Practice Guide is made up of five volumes:

(1) Executive Summary;

(2) Approach, Architecture, and Security Characteristics, which describes what NCCoE built and why;

(3) How To Guide, which shows IT professionals and security engineers how to implement the “example solution for securing the transfer of electronic health records on mobile devices”;

(4) Standards and Controls Mapping, which lists the standards, best practices, and technologies used in the creation of the Practice Guide; and

(5) Risk Assessment and Outcomes, which describes the methodology used to conduct “the reference design system risk assessment, the results of that risk assessment, the intended outcomes of implementing the reference design, and the results of the reference design functional test.”

The Guide also recommends that providers assess risks and make decisions about how to mitigate risks on a continuous basis to account for the dynamic nature of business processes and technologies, the threat landscape, and the data itself.

Health care providers and app developers in this space may want to review and comment on the draft, since the final version is likely to become the industry standard.  The NCCoE requests that comments be sent to HIT_NCCoE@nist.gov by September 25, 2015.