On March 23, the Health Sector Cybersecurity Coordination Center (HC3) published a healthcare and public health sector mobile device security checklist. Mobile devices are a critical part of healthcare operations in today’s landscape. Mobile devices often store and process private health information (PHI) and other sensitive data, and therefore, must be protected.
The checklist says that “HC3 recommends the following considerations for any mobile device used within a healthcare environment:
- Controlling wireless broadcasts – Mobile devices can leverage various wireless communications protocols such as 802.11 (WiFi), Bluetooth and broadband cellular (currently 5th generation). These capabilities should be disabled and connection specifics should be deleted when not needed.
- Limit connectivity – Device owners should be cautious about which networks they connect to, especially public or other untrusted networks. Connection to residential wireless networks should leverage the use of a VPN, should be through access points and modems that are of reputable brands, and have adequate security features properly configured and updated with the latest firmware/operating system software. Devices should ideally only be used to connect to corporate enterprise infrastructure via an approved and properly encrypted wireless network.
- Application and software deployment limits – The minimum number of applications required should be deployed to the device in order to reduce its attack surface. Applications that are used should be appropriate for the data (e.g. private health information) that they are storing and processing. The enterprise may choose to whitelist/blacklist applications as they see fit.
- Operating system and software updates – Ensure the device and all apps are updated as soon as possible. Automatic update deployment and installation should be implemented when it does not interfere with device operations.
- Authentication – Password requirements should be established and required by policy. Appropriate levels of password complexity and periodic password changes should be required for device operations, and passwords should be masked as they are being entered. Multi-factor authentication should be required as practical. Screen lock capabilities should be enabled after a set period of inactivity.
- Encryption – The Health Insurance Portability and Accountability Act requires encryption for any device that stores or processes any of the 18 categories of personal health information (PHI). End-to-end encryption is recommended for all mobile devices. Most devices have inherent encryption capabilities. Additional encryption software can be implemented as needed.”
The checklist also says to consider data backup and cloud storage, endpoint security software, configuration management, content and conversations, physical security, remote wiping, and inventory tracking.
“This document represents a basic checklist of recommended items for health sector mobile devices to maintain security, including data in motion and at rest, as well as the capabilities of the device itself,” the checklist document notes.
