x Limit the use of the assigned mobile device to the designated employee. Maintain a current list of mobile device
users and borrowers, assigned equipment serial numbers,
and software. Hold the computer borrower responsible
and accountable for the safety and security of the assigned equipment and information.
x Develop sanction policies and educate employees on the
sanction policies before the employee is allowed to use or
synchronize a device. Make sure the sanction policies apply regardless of device ownership.
Avoid maintaining PHI on mobile devices. Instead, organizations should store the information on the facility’s network so
the information can be backed up and maintained more securely. When network storage is not possible, information should be
encrypted to protect it from unauthorized access should the device be lost or stolen.
Depending on the size of the facility and degree of technical
support, it is advisable to consider remote connections from the
mobile device to virtual systems within the data center.
Routinely scan mobile devices to ensure safeguards are
present and operating, such as operating system and application patches and updates. Some mobile devices may distribute
“firmware” upgrades instead of an operating system update.
Such devices should be appropriately updated when new software is available. Applications installed on the device should
also be checked frequently for updates and the updates installed to reduce exposure of application vulnerabilities.
Organizations must also routinely scan their mobile devices to
ensure virus signature files and antivirus engines are up to date.
Organizational password policies should follow the same recommended best practices as computer workstations and server
systems. Organizations must ensure that passwords are being
used and are not written on the device. They should require the
use of strong passwords of at least seven to eight characters, including alphanumeric and special characters.
In the mobile environment, password protections should include automatic device shutdown after multiple unsuccessful
log-in attempts. Such protections can wipe the device back to a
factory state in the case of loss or theft.
Incorporate appropriate encryption for each device in use.
Not all mobile devices support encryption or can be encrypted
effectively enough to be used with patient information. Developing use cases will provide an organization with the information needed to establish what devices can be used to transport
or handle sensitive information and the type of encryption tools
to use. For example, the device may be able to utilize an encrypted container to hold e-mail, while not providing sufficient
encryption to meet the need for transporting sensitive files.
Regularly audit policies, procedures, and assigned equipment and software lists. Like other IT technologies, mobile
devices should be routinely audited for security controls. Organizations should consider methods for routinely auditing
such devices. This may take the form of tool sets that constantly
Practice Brief
monitor the device for compliance to policy, reporting back to a
central server, or the recall of randomly selected devices for personal inspection and compliance evaluation. Some organizations (depending on size and complexity) may chose to do both.
Additional considerations for safeguarding mobile devices
and related ePHI include:
Encryption. Organizations should purchase and install a suitable “whole-disk” encryption product for mobile devices such
as laptop computers. Not all mobile devices can support encryption products. An organization must determine if the mobile device can support encryption and in cases where encryption is not available, evaluate the risks of using the device.
Organizations should ensure encryption products have a central key management infrastructure to enable the recovery of
encryption keys. Central key management is critical if the organization has to recover information from a device. If an employee leaves the organization without releasing the encryption
keys, the only hope for recovery of the encrypted information is
from the central key depository.
In addition, organizations should consider the type of mass
storage device and the availability of encryption. They should
look for devices that provide hardware-based encryption and
do not require administrative rights on the host computer in
order to operate. This is critically important for staff that travel
and may need access to the device from a coffee shop or hotel
computer.
Software-encrypted devices usually require software to be
loaded from the portable device onto the host system (in this
example, the coffee shop or hotel computer). Such host systems
are generally “locked down” to deny the operation of such applications, resulting in the inability to access the software-encrypted mobile device.
Hardware-encrypted devices perform the encryption function
within their own hardware, without the need to execute code on
the hotel or coffee shop system.
Organizations should also make sure the use of any encryption technology is compliant with NIST and FIPS 140-2.
Tracking software with capabilities to remotely wipe the
device if it is lost or stolen. When purchasing mobile devices,
organizations should consider vendors with local repair facilities to avoid potential theft or loss during shipment to or from
the factory when devices are sent for repair. Local repair facilities should complete a business associate agreement or similar
agreement if they are to service mobile equipment.
In the event equipment must be sent off site to a manufacturer
for repair organizations should consider the following:
x Removing the hard drive prior to return. This would be
advisable if the support issue is a repair item other than
the hard drive.
x If the equipment is being returned as part of an equipment exchange or trade in, work with the vendor to keep
the hard drive. Dispose of the hard drive using an acceptable destruction method such as a NIST-approved secure
overwrite method, magnetic degaussing, or physical de-
