HHS prescribes 11 basic steps for securing mobile devices
- By Kathleen Hickey
- Dec 17, 2012
The Health and Human Services Department, acknowledging the privacy risks when dealing with health information, has released several online resources to help health care providers protect patient privacy when using mobile devices such as smart phones, tablets and laptop PCs. The tools include videos, fact sheets and posters to educate health care professionals on how to best safeguard patient health information.
While mobile devices hold promise in improving health care, “it’s important that these tools are used correctly,” said Joy Pritts, chief privacy officer for HHS’ Office of the National Coordinator for Health Information Technology. “Health care providers, administrators and their staffs must create a culture of privacy and security across their organizations to ensure the privacy and security of their patients’ protected health information.”
According to a recent Ponemon Institute survey, negligence is the main reason for patient privacy and data breaches, with the primary cause being lost or stolen computing devices (46 percent), most of which were mobile devices. On average, 51 percent of employees are bringing their own devices to health care facilities. Ninety-four percent of the health care organizations surveyed reported a data breach in the past two years.
Other common mobile device risks include using an unsecure Wi-Fi network; inadvertently downloading viruses or other malware; and unintentional disclosure to unauthorized users when sharing mobile devices with friends, family and/or coworkers.
HHS recommends several policy approaches to managing mobile devices, along with 11 specific steps organizations can take, and which would apply to any public-sector agency that deals with sensitive information.
1. Use a password or other user authentication
Configure mobile devices to require passwords, personal identification numbers or passcodes for access, and set the devices to lock their screens after a set period of device inactivity.
2. Install and enable encryption
Activate the device's built-in encryption capabilities. If no such capabilities exist, install encryption software.
3. Install and activate remote wiping and/or remote disabling
Use remote wiping to permanently erase data on a device that has been lost or stolen. Remote disabling can lock data, making the device usable if it is recovered.
4. Avoid file-sharing applications
Disable file-sharing apps that are on a device, and do not install any new ones. File-sharing software enables collaboration and the trading of files but also provides a way for unauthorized users to access mobile devices.
5. Install and enable a firewall
Use a personal firewall on individual devices that will detect attempts to connect and will allow or block connection based on pre-set rules.
6. Install and enable security software
Protect against malicious applications, viruses, spyware and malware-based attacks with security software.
7. Keep security software up to date
Ensure security software is current.
8. Research mobile apps before downloading
Only install and use apps from known, reputable providers and verify that an app performs only the functions it should.
9. Maintain physical control
Keep mobile devices in locked drawers if they are not being carried by the user. Device screens should be locked, and users should not share devices.
10. Be careful with public Wi-Fi networks
Do not send or receive health information via a public Wi-Fi network unless it has secure, encrypted connections.
11. Delete all stored health information before discarding or reusing the mobile device
Follow HHS guidance to remove health information and other sensitive data before throwing out or reusing a mobile device.
HHS also recommends making devices undiscoverable by Bluetooth, not sharing devices and registering the device with your organization.
HHS isn’t the only agency offering advice on the issue. In October, the National Institute of Standards and Technology released draft security guidelines for mobile devices.