Improve Mobile Device Security with this HC3 Checklist
The Health Sector Cybersecurity Coordination Center (HC3) has published a mobile device security checklist to help healthcare organizations address a common cybersecurity weak point and better protect patient data. Healthcare organizations employ a wide range of mobile devices, many of which are networked and collect, store, and transmit patient information. These devices are often a critical part of healthcare operations and may number in the thousands at large hospitals.
While these devices perform essential functions, they increase the attack surface considerably and they often contain vulnerabilities that can potentially be exploited to gain access to patient data and the healthcare networks to which they connect. The risks associated with the devices vary based on the nature of the devices and their use. Devices can be lost or stolen, they may connect to unsecured Wi-Fi networks, and software and applications may have vulnerabilities that can be exploited, resulting in unauthorized network access or the downloading of malware or ransomware.
HC3 has published a simple and easy-to-use mobile device security checklist that includes recommendations for ensuring the security of these devices, covering all basic elements of security that should be considered for all mobile devices used in healthcare. The checklist suggests limitations be placed on connectivity, including disabling the various wireless communications protocols that mobile devices support, such as 802.11 Wi-Fi, broadband, and cellular connections if they are not absolutely essential.
Users of the devices should be cautious before connecting to any public or untrusted network. If connections need to be made to residential wireless networks, a VPN should be used and access points should have adequate security features. If connecting to corporate enterprise infrastructure, connections should be encrypted. Applications on the devices should be kept to the minimum number required, and whitelists/blacklists should be considered.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Vulnerabilities need to be identified and patched promptly, which means maintaining a comprehensive, accurate, and up-to-date inventory of all devices. Software and applications need to be kept up to date, ideally using automatic updates, unless automatic updates have the potential to interfere with device operations. All devices should be configured for full functionality first and maximum security second.
Strong authentication measures should be implemented, including appropriate levels of password complexity and multi-factor authentication, with device lock enabled after a period of inactivity. HIPAA requires protected health information to be safeguarded in transit, so communications should be encrypted, either through the inherent encryption capabilities of the device or through encryption software.
To protect against data loss, backup processes are required. The 3-2-1 data backup best practice is recommended – At least 3 backups, on two separate media, with one copy stored securely offline. To protect against malware and ransomware, endpoint security solutions should be implemented and remote wiping capability should be considered. Naturally, all devices should be physically secured at all times, and staff trained on security best practices.
You can access/download the HC3 mobile device security checklist here (PDF).