struction of the hard drive. The best practice technique
would be a physical destruction of the drive in such a way
it could not be reconstructed (shredding or crushing the
x Return the equipment through a delivery service that will
properly record the signature of the receiving party and
will not leave the parcel unattended.
User and device controls. Organizations should purge user
data on mobile devices after each use and prior to assigning to
the next user. Use NIST-approved secure deletion tools. Simply
deleting data does not necessarily eliminate it.
Organizations should restrict workstation access to organizationally approved devices, based on the analysis from the above
steps. They should audit for compliance and review policy decisions as the market for these devices changes frequently.
In addition, facilities should restrict the use of CD/DVD writers. They should consider the use of self-contained encryptable
CD/DVD media in areas that have a legitimate need to create
Secure mobile devices when not in use, including offices and
meeting rooms when equipment is left unattended. Arrange the
devices so they are not readily observable.
Inventory. Organizations should inventory the use of USB
mass storage devices. They should consider products that can
run on workstations and other computer devices that can audit the movement of data to and from a USB device. Many such
products can also control USB port usage based on policy.
Organizations should also examine all avenues of product
acquisition of mobile devices. If there are purchasing contracts
with vendors for mass storage devices, collaborate to enforce
the organization’s choice of mass storage products.
In addition, facilities should analyze inventory findings for the
types of devices being used and the types of data being moved
among the devices. Some of the port tools that audit and allow
control of USB devices on workstations and laptops can also
make shadow copies of the actual data moved between them.
This can be an enormous asset to determining the type of data
and usage patterns for mobile devices and media.
Organizations should centralize the oversight for media destruction and reallocation where possible. Media destruction
and disposal should be cross-referenced to inventory and appropriately tracked.
Theft/Loss. Organizations should perform loss investigations
on all lost or stolen equipment. They should also create an incident response team and conduct exercises to prepare for the
possibility of lost or stolen devices.
Part of this incident response plan should include plans to
deal with breach notifications in compliance with the breach
notification rule. In such cases, it may be necessary to identify
the data that were lost in order to ascertain who will need to be
Members of the incident response team should include (but
are not limited to) risk management, corporate compliance,
media relations, legal, and representatives of senior management.
In terms of theft awareness and education, it is critical for
healthcare facilities to ensure the organization’s media clean-
ing and destruction policies and procedures consider all types
of media and educate the workforce on the proper handling of
each. They should also provide employees with computer and
data theft precaution and deterrent information. Examples
might include instructions to:
In addition, facilities should train staff on how to report the
loss or theft of a mobile device and designate who they should
contact and the importance of timely notification. If the device
is stolen during travel, have the local police complete an inves-
tigation report immediately. Organizations should take this as
an opportunity to develop policies and procedures for incident
response and management.