Mobile devices are today widely accepted and their capability to provide access to services independent of user time and location make them well suited for provision of healthcare services to both patients and healthcare personnel. However, mobile services are still not generally allowed to operate with highly sensitive and personal data, mainly due to the lack of a defined security standard, low protection of data transferred through the mobile and wireless network and no standard and widely accepted user authentication method that ensure confidentiality. In this paper we propose a secure solution for mobile access to Electronic Health Record (EHR) systems. The proposed solution enables secure authentication and communication between a mobile device and a healthcare service provider through usage of a two-factor authentication method on a mobile phone and encryption. The proposed solution is independent of mobile network provider and type of the mobile device the application is running on, and provides multifactor authentication without the traditional requirement that the user has an additional authentication token. This simplifies use without compromising security. In the paper we present the usage scenarios, discuss the feasibility of the proposed solution together with its limitations, and present results from a prototype test bed.