Success Story

NIST and NCCoE Use CRADA to Improve Cybersecurity in Healthcare Sector

NIST and the National Cybersecurity Center of Excellence (NCCoE) have been using Cooperative Research and Development Agreements (CRADAs) for joint cybersecurity efforts. The NCCoE’s mission is to advance cybersecurity by accelerating the adoption of secure technologies through collaborations with innovators to provide real-world, standards-based cybersecurity capabilities that address business needs. Within the NCCoE business communities have been broken into sectors. This project will discuss the collaborative efforts of one within the healthcare sector, Securing Electronic Health Records on Mobile Devices.

Cybersecurity challenges are brought to the NCCoE by members of the health IT community. Referred to by NIST as a community of interest (COI), this group helps the Center select topics and gives feedback on the results of NIST projects. With the fast-growing area of mobility and the acceptance of electronic health records (EHRs), the community saw a need to secure these systems and the communications between them. The NIST lab at the NCCoE built an environment that simulates the interaction among mobile devices and an EHR system supported by the IT infrastructure of a medical organization using technologies from a consortium of seven vendors and open-source tools.

To start the collaborative effort, the NCCoE issued a call in the Federal Register inviting technology providers with commercial products that matched NIST security characteristics to submit letters of interest describing their products’ capabilities. Companies with relevant products were invited to sign a CRADA with NIST, allowing them to participate in a consortium to build this example solution. NIST aims to describe the process that brings together the collaborators in an open and transparent way. In addition, NIST will examine the lightweight CRADA used and discuss the benefits of its streamlined approach.

CRADA Outcome

The Health IT Mobile Device Use Case research program was a collaboration between the NIST NCCoE and eight industry participants. The collaboration was formalized using a CRADA, a partnering tool that allows federal laboratories to work on research and development projects with U.S. industries, academia, and other organizations. The project worked to design and implement a mobile network build to secure mobile device communication to a backend electronic health record system. The research involved developing interconnections used in mobile devices, networking, secure infrastructure, and backend systems.

Numerous policy issues are involved in industry-collaborative research and development of health information technologies. Intellectual property and other contractual questions require negotiation in any government-industry collaboration. In the case of the NCCoE CRADA, there were major challenges negotiating End User License Agreements (EULAs) and their applicability to the federal government. Another sensitivity involved the legal terms for sharing trade secrets, which included concern about the lack of copyright by the government and the worry of potential Freedom of Information Act (FOIA) disclosure. Additionally, health IT work must comply with human subjects, animal subjects, and Health Insurance Portability and Accountability Act (HIPAA) regulations. Interestingly, there was also discussion about the implications of data encryption of patient information on the Hippocratic Oath.

By using a streamlined CRADA template and requiring the education of both industry and government partners on the process, the consortium reduced the time to execute a CRADA from 9-12 months in 2012-2013 to 2-3 months in 2016. The increased efficiency in the process may be due to the NIST agreement staff increasing the understanding of common objections by industry negotiators and using a template that remains silent on many “difficult” terms.