HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NCCoE Cybersecurity Practice Guide for Mobile Devices Released: Comments Requested

The use of Smartphones and other portable devices in healthcare is growing and the federal government is concerned. The devices carry a high risk of causing a data breach, and the feds are concerned that physicians and other healthcare workers may accidentally expose patient data, or worse still, give hackers an entry point into hospital EHRs.

Medical identity theft costs billions of dollars every year, and patient’s privacy is being violated on an almost daily basis. Hackers are targeting healthcare organizations, thieves are looking for portable devices to steal, and malicious insiders are copying data from EHRs; however, Smartphones have potential to cause even more data breaches. The reason? The data security and privacy protections used to safeguard data stored on the devices is often inadequate.


NCCoE Takes Steps to Protect Mobile Healthcare Devices


The National Cybersecurity Center of Excellence (NCCoE) was formed by National Institutes of Standards in Technology (NIST), the state of Maryland, and Montgomery County, Md in 2012, and during the past three years it has been gathering data to help it identifying the common cybersecurity challenges faced by U.S industries.

According to NCCoE Director, Donna Dodson, “The NCCoE was established specifically to help organizations solve real-world challenges, and this was one of particular concern to the health care community,” she went on to say, . “This guide can help providers protect critical patient information without getting in the way of delivering quality care.”

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy


New Cybersecurity Guidelines for Mobile Devices Released


To prevent Smartphones and other portable electronic storage devices from causing data breaches, the NCCoE, under the guidance of the NIST, has developed a new set of cybersecurity guidelines to help HIPAA-covered entities secure Smartphones and other mobile devices.

The NCCoE consulted with healthcare and security professionals as well as technology vendors to determine the best methods for protecting the devices, and the research has now been compiled into a guide to cybersecurity that healthcare providers can use to better protect patient data. The guidelines also incorporate the rules laid down in the Health Insurance Portability and Accountability Act (HIPAA) to keep data secure.

The guide, “Securing Electronic Health Records on Mobile Devices,” contains step by step information on how to secure data, along with a number of best practices to adopt. The guide incorporates the NIST Framework for Improving Critical Infrastructure Cybersecurity and lists a number of standards-based, commercially available, or open-source tools.

The guide does not suggest that all products are used, and neither does it endorse any of the products mentioned in the guide. It just offers a number of possible solutions and leaves it to each organization to determine the best methods to use to match its existing IT infrastructure. The guidelines can be used as a starting point to develop policies and procedures to secure devices and data, or as a step by step guide to improve mobile device security.


Comments Invited on Draft Securing Electronic Records on Mobile Devices Guide


NIST recently issued a press release announcing the release of the guide, and has invited comments on securing electronic records on mobile devices. The guide has been broken down into sections – Executive Summary; Approach, Architecture, How to Guide, Standards and Controls Mapping; and Risk Assessment and Outcomes – which can be downloaded separately for ease of use.

Healthcare providers and other organizations have until September 25, 2015 to download the guide and submit comments. The final guide is expected to be released later in the fall.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.