Health IT Use Case
Mobile Devices
Use Case (PDF)
Approach
Architecture
Data Flow Example
Components
Mobile Devices
Networks
The Back End
A Secure Infrastructure
Approach
In order to use electronic medical records and mobile devices to improve health care, providers should first understand their security challenges, then find a cost-effective security platform combined with practical cybersecurity solutions.
The NCCoE, as part of the Information Technology Laboratory at the National Institute of Standards and Technology, suggests that health care providers account for these cybersecurity challenges:
• Discounting physical security controls increases the likelihood that a health care worker will lose or misplace their mobile device (and stored private health information), or have it stolen.
• Using untrusted client devices allows threat actors to circumvent a device’s security features and access patient records and other private health information.
• Using untrusted networks (e.g., broadband, WiFi, WiMAX and cellular networks) increases the number of opportunities that a threat actor has to circumvent a device’s security features and access patient records and other private health information.
• Interacting with other systems increases a health care worker’s risk of compromising routine activities such as data synchronization and storage.
The NCCoE will resolve these types of cybersecurity challenges in collaboration with U.S. organizations that work with health care providers. The NCCoE invites participation from providers of technical expertise and products in a demonstration project of security platforms for the exchange of electronic health records on mobile devices.
In this use case, a hypothetical independent primary care physician is using her mobile device to perform a variety of reoccurring activities such as:
• Sending a referral (e.g., clinical information to another physician)
• Sending an electronic prescription
• Receiving a lab result
• Sending a patient lab results and instructions to see a specialist
• Checking a patient into a hospital under Dr. Smith’s care
• Sending or receiving consultation information
• Requesting that a hospital discharge a patient
• Viewing hospitalized patients’ charts
• Ordering an imaging test
At least one mobile device is used in every transaction, each of which interacts with a certified electronic health record (EHR). When a physician uses a mobile device to push clinical information to an EHR, it allows another physician to access the clinical information through a mobile device as well.
Return to Top
Architecture
The high-level abstract architecture involves a four-step information transfer process:
1. Physician uses a mobile device application to send a referral to another physician
2. Application sends the referral to a server running a certified EHR application
3. Server routes the referral to the referred physician
4. Referred physician uses mobile device to receive the referral
Data Flow Example
The example data flow diagram illustrates one of many possible ways to securely maintain and exchange clinical information using mobile devices, which will be explored further in the Health IT Mobile Device Use Case. This diagram includes:
- Identifiable perspective roles
- Data exchanges
- Cybersecurity considerations
Components
As we consider how a physician makes use of electronic health records, we are taking into account the following components on:
• Mobile device*
• Mobile device management client*
• Intrusion detection system (IDS)*
• Firewall software*
• Provisioning system for mobile devices client*
• Healthcare mobile device application*
• Storage encryption*
• Antivirus*
• WiFi*
• Cellular
• Bluetooth
• Certified electronic health record system*
• Storage encryption*
• Antivirus*
• Intrusion detection system (IDS)*
• Provisioning system for mobile devices server*
• Mobile device management server*
• Auditing mobile device*
• Mobile device identity management*
• Web server
• Email server
• Session initiation protocol (SIP) server
• LDAP
• Active directory
• Policy manager
• Firewall*
• VPN Gateway*
• Authentication, authorization, and accounting (AAA) server*
• CA and Enrollment*
• Switches
* required security component
How to Participate
The NCCoE has extended the deadline for submission of certification letters for organizations that are interested in participating in this project. We'll accept certification letters on an ongoing basis. To learn more, view the Federal Register Notice or contact us.
This use case has a wiki site where you can view relevant materials and discussions. To contribute to the wiki, registration is required.
