Sample Policy
Mobile Data Protection; Portable Devices
This sample policy was shared by an anonymous hospital leader for posting on HFMA’s Legal & Regulatory
Forum. The name of the hospital has been removed from the policy. The Forum does not endorse any
particular policy and recommends that you adapt any policy or tool to the needs of your particular
organization.
A. Applicability
This policy is applicable to all NAME OF HOSPITAL workforce members, agents and subcontractors
that administer, support or use portable computing devices that create, receive, maintain of transmit or
electronic NAME OF HOSPITAL proprietary information, personal identification information or
protected health information.
B. Policy
It is the policy of NAME OF HOSPITAL to implement reasonable and appropriate safeguards to
protect against the risks and vulnerabilities unique to mobile data and portable data devices.
C. Background and Purpose
Portable computing and storage devices are susceptible to loss, theft and other hazards to a greater
degree than stationary desktop equipment or equipment situated in a hardened data center. The
purpose of this policy is describe the administrative, physical, and technical safeguards that managers
and system administrators should consider before permitting workforce members to utilize a mobile
data devices for work purposes.
D. Definitions
Laptop computer is a small portable computer that is light enough to carry comfortably, with a flat
screen and keyboard that fold together. A laptop has most, if not all, of the features and functionalities
of a desktop computer.
Portable computing device includes any mobile, portable or handheld device that creates, receives,
transmits or maintains electronic protected health information, or information designated by
management to be similarly protected. They include lapbook computers and personal digital assistants.
They may also include certain types of cellular phones with advance computing or data storage
capabilities beyond those associated with traditional voice communications, e.g., built-in cameras, text
message stores, networking features and the like.
Tablet computer is a computer that is about the size of a paper tablet and that emables one to now
write with a digital pen or stylus directly on its screen. There are three types:
Convertible Tablet PC—is most similar to the familiar notebook, although one very important
difference exists: its screen pivots 180 degrees and then folds down on top of the keyboard, creating
a special writing surface. This feature enables users to write directly on the surface using a digital
pen.
Slate Tablet PC—is Tablet only, with no attached keyboard. Most have an option of using a wired or
wireless keyboard if preferred.
Hybrid Tablet PC—can be used with a keyboard or detached for use as a slate only.
IM-24
Mobile Data Protection; Portable Devices
Page 2 of 19
Portable Electronic Devices (PEDs) consist of small electronic items used for storing, processing, or
transmitting information. These devices provide several benefits: convenience of sharing information,
potential to increase productivity, reduction in communication costs, and improvement in information
flow. PEDs usually have less powerful central processing unit (CPU), storage capacity, memory
allocation, and number of interfaces compared with standard desktops or laptops. PEDs are limited in
the types and amount of applications for the OS; therefore, they would occupy less bandwidth
consumption.
Personal Digital Assistants (PDAs): A PDA is a handheld computer that provides numerous
organizational capabilities (e.g., calendar, address list, to-do list, notepad). A PDA or handheld computer
is small enough to fit into a person’s hand. Some manufacturers solve the small keyboard problem by
replacing the keyboard with an electronic pen. PDAs have many of the same functionalities of a laptop.
The differences lie in the size, OS, applications, and hardware components. PDAs can be categorized
based on the OS that is used. Two main OS platforms are available: the Palm OS by Palm and Windows
Mobile (formerly, Windows CE) by Microsoft. Another less common platform is Symbian OS
(originally called EPOC) by Symbian, which is a joint venture between Ericsson, Motorola, Nokia, and
Psion. Java and Linux platforms are also available for PDAs. Most PDA OSs provide security
application programming interfaces (API) that application developers can use to enhance the security of
their applications.
Wireless Keyboards and Mice: A wireless mouse transmits telemetry data (right, left, up, and down).
Wireless keyboards, on the other hand, transmit users’ keystrokes that can be easily read by a nearby
receiver, thereby posing significant security risk. Interest in using wireless keyboards and mice is
increasing, and their use may be beneficial in some settings. These systems use numerous wireless
technologies for transmitting data to the computer (e.g., WLAN, Bluetooth, and infrared).
USB Flash Drive: a memory data storage device integrated with a USB (universal serial bus) interface.
They are typically small, lightweight, removable and rewritable. While originally sold with capacities
starting at 32 megabytes, capacities of 1 gigabyte and up are now common. Also referred to as “jump
drive” or “thumb drive”.
Mobile Phone: The mobile phone or mobile, also called a wireless, cellular phone, cell phone, cell
speaker box, or hand phone, is a long-range, portable electronic device for wireless mobile talking. It
uses a network of specialized base stations known as cell sites. In addition to the standard voice
function of a telephone, current mobile phones may support many additional services, and accessories,
such as text messaging, digital camera, email, packet switching for access to the Internet, and sending
and receiving photos and video. Most current mobile phones connect to a cellular network of base
stations (cell sites), which is in turn interconnected to the public switched telephone network (the
exception is satellite phones).
ITSS: Information Technology Security Services
CISO: Corporate Information Security Officer
Protected Health Information: information regulated by the Health Insurance Portability and
Accountability Act of 1996 and applicable regulations.
Personal Identification information: information as defined in § ______,STATE. Stat. (an
individual’s name together with Social Security number, drivers’ license number, or certain bank or
credit account information.).
IM-24
Mobile Data Protection; Portable Devices
Page 3 of 19
E. Standards
1. Addressability
These standards are addressable, not required. Each standard should be implemented if reasonable
and appropriate. If not implemented, the rationale for not implementing it must be documented, or
an alternative safeguard that meets the same objective must be implemented. The rationale for
rejection of a standard should be documented in the risk assessment, risk management plan, or
technical evaluation for the system.
2. Configuration Standards for Mobile Devices Required
NAME OF HOSPITAL -supported portable devices shall be configured according to written
configuration standards approved by the IT Risk Manager.
3. Mobile Data Safeguards
Mobile data should be protected through a combination of administrative, physical and technical
safeguards.
a. Administrative Safeguards
(1)
Identify the data that is risk. This involves compiling a description of the anticipated
uses of the device, and types of information that will be created or maintained on it, or
transmitted to or from the device.
(2)
End user education. Users of portable devices and mobile data should receive education
on the security safeguards associated with such devices and data.
(3)
Configuration standards. Standards can be set and maintained at vendor or hardware,
tools or platform level. This should be a priority when implementing device allocation
plans. Standardization will help to maximize stability and predictability of the
mobile/handheld environment. In this way, devices can be better supported and,
consequently, will be more secure. Guidelines on different levels of restrictions for
application installations and other changes in settings should be established to limit, or
avoid, potential vulnerabilities.
(4)
Track and monitor devices through inventory and asset management. Where
applicable, these tools will give critical information on diversity of device types deployed,
how they are being used and their status. This should lead to better visibility and control of
the devices used to access data and usage patterns, which can help in anticipating security
exposures. At the same time, software distribution tools should be considered to control
and standardize software images as much as possible.
(5)
Eliminate the risk, if feasible. Do not store individually identifiable information of any
kind or other sensitive information on a laptop or PDA unless, 1) there are compelling
business reasons to do so, 2) it is with the explicit approval of an appropriate level of
management, and 3) appropriate safeguards are implemented, such as those described in
this document.
(6)
Workforce termination procedures. Workforce termination procedures should include
steps to ensure the return and/or proper wiping of data on portable media and devices.
(7)
Inventory mobile data. Maintain an up-to-date inventory of portable computers,
personal digital devices and media containing information relating to work at NAME OF
HOSPITAL.
IM-24
Mobile Data Protection; Portable Devices
Page 4 of 19
(8)
Account authorization, establishment and modification: There should be written
procedures for authorizing workforce members to use a mobile device for NAME OF
HOSPITAL business, establish accounts with mobile device access privileges, modifying
access upon a change in role, and for terminating access upon a period of inactivity.
(9)
Education and training of mobile device users should cover the following topics:
(a)
Care and use of the device in accordance with manufacturer's instructions and
NAME OF HOSPITAL standards;
(b)
Instructions for connecting to and using wireless networks;
(c)
Instructions for using encryption features, if equipped;
(d)
Instructions for backing up data;
(e)
The organization’s policies for removal of ePHI and other sensitive data from the
work place;
(f)
Procedures for backup data and restoring it in case of loss or other calamity;
(g)
Procedures for reporting loss or theft
(10) Management oversight. NAME OF HOSPITAL team members should not be
permitted to remove sensitive information offsite without management's knowledge and
express permission.
b. Physical Safeguards
(1)
Promptly remove unneeded data. Without routine housekeeping, the amount of data
on a laptop's hard drive will quickly grow. By regularly removing unneeded data, you will
reduce the risk that sensitive data will fall into the wrong hands.
(2)
Label and Tag the Laptop and PDA and All Accessories (if feasible). Make sure that
everything that can be labeled is labeled with the name of the individual or organization
that owns it, and ensure that these labels are conspicuous. The potential theft value of a
laptop or peripheral is reduced greatly when additional work is required to remove the
identifying marks. Conspicuous identity labels also significantly increase the risk of a
potential thief being caught in the act of theft.
Keep your laptop or PDA with you at all times. When traveling, keep your lapto/PDA
with you. Do not pack mobile data devices with checked baggage. Meal times are
optimum times for thieves to check hotel rooms for unattended laptops. If you are
attending a conference or trade show, be especially wary—these venues offer thieves a
wider selection of devices that are likely to contain sensitive information, and the
conference sessions offer more opportunities for thieves to access guest rooms. Most
laptops are stolen from automobiles, college campuses and hotel rooms. If stowage in a
unattended vehicle is necessary, keep it in a locked trunk, and only for a very short period
of time (never overnight).
Airplane travel restrictions may prevent you from keeping your laptop with you. If so,
encryption and timely backup of all data should be considered mandatory.
(3)
Downplay or disguise your laptop or PDA. There is no need to advertise to thieves
that you have a laptop or PDA. Avoid using your portable device in public areas, and
consider non-traditional bags for carrying your laptop.
IM-24
Mobile Data Protection; Portable Devices
Page 5 of 19
(4)
Watch out for "shoulder surfers". Be on the lookout for over-the-shoulder snoops
who may attempt to discover your password.
(5)
Consider an alarm or lock. Many companies sell alarms or locks that you can use to
protect or secure a laptop. If you travel often or will be in a heavily populated area, you
may want to consider investing in an alarm for your laptop bag or a lock to secure your
laptop to a piece of furniture.
(6)
Consider storing important data separately. There are many forms of storage media,
including floppy disks, zip disks, CDs, DVDs, and removable flash drives (also known as
USB drives or thumb drives). By saving your data on removable media and keeping it in a
different location (e.g., in your suitcase instead of your laptop bag), you can recover your
data even if your laptop or PDA is stolen. You should secure the location where you keep
your data to prevent easy access.
(7)
Back up your data. Maintain an exact copy of the data that is on the portable device,
especially if it includes individually identifiable information of any kind. Back up the data
onto a USB-drive, CD-ROM, DVD-ROM, or network. If your portable device is stolen,
it's bad enough that someone else may be able to access your information. To avoid losing
all of the information, make backups of important information and store the backups in a
separate location. Not only will you still be able to access the information, but you'll be
able to identify and report exactly what information is at risk. Also, with a backup on
hand, you may be able to take measures to reduce the amount of damage that the exposure
could cause.
(8)
Set up procedures for frequent backup. These should be mandatory for all mobile
device users, and should not be left for users to implement at their convenience.
Voluntary backups are usually not sufficient. Backup procedures should be aligned as
much as possible with the common corporate policies to ensure they are regular and
adequate. Once the data is backed up, infrequently used data can be removed from the
device via automated tools, thereby limiting exposure through loss.
Routine backups of mobile data can be waived if the data is transient in nature, it is a
duplicate copy of data held elsewhere, if can easily and quickly be recreated from another
source, or it is of nominal value with little impact if lost.
In the case of ePHI or other personal identification information, if routine backup is
waived for a reason listed above, there must be an alternative method for identifying the
individuals whose information is on the device in the event the device is lost or stolen.
(9)
Protect small devices from accidental loss: Attach a conspicuous tag or lanyard to the
device that contains the owner’s name address and telephone number. The tag or lanyard
will prevent the loss of a small device such as a flash drive. If is lost, the finder will be able
to return it to the owner. For especially small digital devices such as SD memory cards,
keep them in an appropriately labeled storage case when not inserted in the card
read/write slot of the PDA, laptop, phone or other device.
c. Technical Controls
(1)
Password-protect the device. Make sure that you have to enter a password to log in to
your device. NAME OF HOSPITAL issued laptops should have password protection
enabled by default. This setting should not be disabled. Password-protect your PDA or
IM-24
Mobile Data Protection; Portable Devices
Page 6 of 19
cell phone as well. Evaluate and implement, if feasible, alternative stronger authentication
methods such as:
(a)
Graphical passwords: Authentication based on icon or image selection can overcome
the usability problems associated with passwords on PDAs.
(b)
Tokens: A hardware-based token, such as a smartcard or USB key fob coupled with
a personal identification number.
(c)
Biometrics: Finger-print scanners are available for laptops and PDAs, and signature
verification software is available for PDAs.
(2)
Use passwords correctly. Don't choose options that allow your device to remember
passwords and don't choose passwords that thieves could easily guess or crack. Even
though passwords as short as eight (8) characters are permitted within NAME OF
HOSPITAL, consider a longer password or pass-phrase for portable device access.
(3)
Supplement passwords with hardware-based authentication. Special smartcards or
tokens (which look just like a USB stick) store key information that is used in combination
with a user password to unlock the computer. Only someone who has the token and
knows the password can access the system and the data saved on it. Alternatively, the
user’s biometric data can be stored on a smartcard. For authentication, the user’s
fingerprint is checked directly on the card, instead of the password.
(4)
Secure hibernation and standby modes with a password. Configure the device to
prompt for the password again when it switches from screensaver or hibernation mode
back to normal working mode. This will keep the information secure while the device is
unattended.
(5)
Encrypt data. By encrypting files or media, you ensure that unauthorized people can't
view data even if they can physically access it. You may also want to consider options for
full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data, unless recovery procedures are
in place.
Any data containing “personal identification information”1 or protected health information
should be encrypted.
Recommended interim solution for encryption on Windows-desktops and laptops, and
flash drives:
If your laptop has Windows XP installed and the hard drive of your laptop is formatted as
'"NTFS", you may be able to encrypt files and folders yourself, using the Windows
Encrypted File System (EFS). The procedures are documented in Windows XP Help. If
you do use Windows EFS, you must understand the procedures for recovering encrypted
data if the person that encrypted it has left the organization or is unavailable. These
Personal identification information (PII) refers to information that, when accessed by an unauthorized person as a result of security breach, may trigger a state
law requirement to notify the individuals whose information was accessed. PII means an individual's first name, first initial and last name, or any middle name
and last name, in combination with any one or more of the following data elements when the data elements are not encrypted:
(a) Social security number.
(b) Driver's license number or STATE Identification Card number.
(c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit
access to an individual's financial account.
1
IM-24
Mobile Data Protection; Portable Devices
Page 7 of 19
procedures are also documented in XP Help.
Some USB drives are bundled with encryption software. If so, it should be used to
encrypt sensitive information on these devices. The U3 software bundled with SanDisk
USB flash drives is a reasonable interim solution. See also Exhibit 6 Protection Options
for USB Flash Drives.
Note: EFS and U3 are vulnerable to attack or compromise and should only be used as
short-term solutions until a more robust solution can be implemented.
Long-term solution:
Full disk encryption with pre-boot authentication using NAME OF HOSPITAL approved encryption software is recommended over less secure strategies such as partial or
virtual disk encryption, or file/folder encryption using EFS. Encryption keys should be
centrally managed using secure methods for obtaining, distributing and managing
encryption keys. Encryption keys should be stored separate form the device holding the
encrypted data, e.g., on a USB token or smart card that must be use in conjunction with
the device before access to unencrypted data is granted. See also IM-13.40 Access Control;
Encryption and Decryption and NIST SP 800-111 Guide to Storage Encryption Technologies for
End User Devices.
(6)
Install, enable and maintain anti-virus software. Protect laptops and PDAs from
malicious code with anti-virus software and keep virus definitions up to date.
(7)
Install and enable a firewall. While always important for restricting traffic coming into
and leaving your computer, firewalls are especially important if you are traveling and
utilizing different networks. Firewalls can help prevent outsiders from gaining unwanted
access. The firewall that comes with Windows XP is documented in the XP Help files.
Note: check with the IT Service Desk before changing firewall settings on NAME OF
HOSPITAL managed computers.
(8)
Disable unneeded network services. Limit and/or set up firewalls for networking
services that are not needed, or which should not run at default permissions. This would
include Bluetooth, IrDA and WLANs, such as Wi-Fi. If a network service is not needed, it
should be disallowed in the default configuration.
(9)
Boot protection and BIOS hardening. The Basic Input Output System (BIOS) of a
computer is the part of the operating system that enables an operating system such as
Windows to communicate with the computer's hardware components. Certain BIOS
settings can be set to strengthen security. For example, a BIOS password can be set so that
the computer will not boot until the BIOS password is correctly entered. Modifying the
BIOS requires some technical expertise and should not be attempted with NAME OF
HOSPITAL owned or leased computers, except with the assistance of IT.
BIOS settings that can be configured vary by make model, and may include:
(a)
Boot device sequence (can prevent booting from a USB flash drive, CD-ROM or
diskette)
(b)
System password (can require entry of a password before booting)
IM-24
Mobile Data Protection; Portable Devices
Page 8 of 19
(c)
System setup password (can require entry of a password before BIOS settings can be
changed)
(d)
Power management settings (enable/disable computer to go into sleep or stand-by
mode; if computers are allowed to go into sleep/standby mode, a thief can more
easily gain access to sensitive information);
(e)
Chassis intrusion detection (can detect if internal hardware components have been
accessed and security controls circumvented);
(10) Network access controls.
As noted below under wireless network issues, mobile devices are likely to be used on
networks outside the NAME OF HOSPITAL network unless they are disabled from
access with a technical control. The security of device that is connected to a foreign
network could be compromised through the introduction of malicious code. The device
could then compromise the NAME OF HOSPITAL network. Therefore, IT may restrict
NAME OF HOSPITAL network access by a mobile device until it has been re-certified
for use on the NAME OF HOSPITAL network.
(11) Operating system hardening. Because of their elevated security risk, portable devices
that are defined in Active Directory may be assigned to a more secure Group Policy
Object. This will have the effect of hardening the operating system by enabling security
certain controls and disabling features that place the device at risk of compromise.
(12) Restrict plug and play. Plug and play makes it convenient to attach devices and have
them instantly recognized. Memory devices other than NAME OF HOSPITAL
authorized devices should not be permitted to be accessed by NAME OF HOSPITAL
portable computers and PDAs.
(13) Remote kill/disk wipe utility. Often bundled as part of another software package, a
remote kill/wipe disk utility renders data unrecoverable if the device is lost or stolen.
Wipe disk functions should meet Department of Defense standards for rendering data
unrecoverable. See IM-12.60 Devices and Media; Disposal; Media Reuse.
Secure file deletion. File deletion under Windows does not remove data from a disk or
flash drive. It only removes the pointers to the files in the file allocation table for the
drive. Deleted data must be cleared using approved methods, such as file shredder
software, to ensure that it cannot be accessed by an adversary. Methods of file deletion
or media wiping must be in conformance with NIST SP 800-88, Guidelines for Media
Sanitization.
Media clearing is not needed when residual data is encrypted using approved methods.
Full disk encryption that encrypts residual data makes file shredding unnecessary.
Disable Autorun. The autorun feature causes Windows to automatically run code from a
CD-ROM or other removable media. Disabling the feature can prevent malicious code
from being installed from a CD-ROM or USB flash drive. In Windows XP the value for
Autorun in registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CDRom must be set
to zero (0).
IM-24
Mobile Data Protection; Portable Devices
Page 9 of 19
4. Do not disable or modify IT-installed safeguards.
The NAME OF HOSPITAL IT Department has configured NAME OF HOSPITAL devices with
certain safeguards and security settings. Do not interfere with, remove or disable any IT-installed
safeguards, even if you are able to do so.
5. Responding to a lost or stolen device
a. Immediately report the loss or theft to a supervisor the NAME OF HOSPITAL Security
Department and the IT Service Desk. The Security Department, in turn, will notify the
appropriate NAME OF HOSPITAL privacy and security officials, and, if necessary, law
enforcement officials.
b. If individually identifiable information was on the device, we may be required to notify the
individuals whose information is at risk. The decision to notify will be made by the chief
executive at the NAME OF HOSPITAL affiliate where the breach occurred, in consultation
with General Counsel and the NAME OF HOSPITAL Compliance Department. See
compliance policy PV-45.1 – Breach of Personal Identification Information; Notification
Requirements.
6. Wireless Networking Issues in Mobile Devices
Wireless network connections for mobile devices are similar to other types of network connections,
but have important differences that should be considered in the risk assessment:
a. Certain built-in networking protocols in mobile devices are immature and have known
weaknesses, e.g., Blue Tooth, Wi-Fi and infrared. These protocols are not approved for
transmission of NAME OF HOSPITAL business or clinical information.
b. Use of non- NAME OF HOSPITAL wireless networks (e.g., Internet cafes, hotels, airports) can
compromise the device and data transmissions to/from the device. Do not use such networks
for NAME OF HOSPITAL business unless the device has been approved for such use and the
transmissions are encrypted.
c. Transmissions containing ePHI or information designated by management to be similarly
protected must be encrypted in accordance with IM-13.90 Transmission Security; Encryption,
FIPS 140-2 Security Requirements for Cryptographic Modules, NIST SP 800-52 Guidelines for
the Selection and Use of Transport Layer Security (TLS) Implementations, NIST SP 800-77
Guide to IPsec VPNs, and/or NIST SP 800-113 Guide To SLS VPNs, as applicable.
d. Reliance on wireless networks can result in information not being backed-up because of limited
network bandwidth and/or because mobile equipment may not be connected at the times when
back-ups are scheduled.
7. Mobile Phone Issues
Risks related to mobile phones use include malicious software infection2 and data loss, data leakage
or theft. In the health care setting, camera phones may be used photograph patients, and transmit
them wirelessly along with sensitive text. Mobile phone safeguards to consider include:
Mobile phone malware is rare in North America but prevalent in Japan and Europe according to a consultant to WatchGuard technologies. It is expected that
U.S. mobile phone infections malware will become more prevalent within 2 years.
2
IM-24
Mobile Data Protection; Portable Devices
Page 10 of 19
a. Educate users that mobile phones are vulnerable and they should not install anything on them
unless it's from an authorized source.
b. Secure and control phones. Use mobile versions of firewalls and antivirus protection.
(Examples come from F-Secure, which offers both, and TrendMicro, which offers an antivirus
product.)
c. Secure phone ports. Many phones have USB ports. USB control software, which allows an
administrator to regulate which devices (including mobile phones) are allowed on a computer's
USB ports, should be considered.
d. Secure Bluetooth. If the user does not need Bluetooth, it should be disabled. If the service is
needed, the user should not accept connections from unknown parties. Class 3 devices (limited
to 1 meter) combined with physical security over the area where it will be used is generally
permitted. Examples A hands-free ear-piece for use with a cell phone; connection between a
PDA and printer at a user’s workstation.
e. Establish policies. The CISO and ITSS should develop policies and standards for mobile
phone use and configuration by workforce members and agents while in the NAME OF
HOSPITAL facilities or conducting NAME OF HOSPITAL business. The same appropriate
use policies that apply to Internet use should be applied to mobile phone use such as:
(1)
downloading or opening files only from trusted sources,
(2)
do not open or accept unexpected attachments;
(3)
verify a known party's intent to send an attachment.
(4)
Blocking access to malicious web sites or vulnerable services; and
(5)
Prohibit the use of camera phones unless explicitly approved and the requirements of
NAME OF HOSPITAL policy on photographic and video and audio recordings are
followed.
f. Other Technical Safeguards
(1)
As with laptops, use encryption to secure company data while in transmission to and from
the device and in storage in the device (required for PHI and PII).
(2)
Employ remote wipe technology to erase company data in the event of loss or theft of the
devise
8. USB Flash Drives
NAME OF HOSPITAL team members that use USB flash drives to store sensitive company data
should be required to use a FIPS-certified device such as Ironkey Model S200 (www.ironkey.com) or
an equivalent device.
9. Signed Agreements for Users of Portable Devices
Users of portable devices should be required to sign an agreement in which they acknowledge the
special risks associated with portable device use, and any special requirements for the maintenance
of safeguards.
IM-24
Mobile Data Protection; Portable Devices
Page 11 of 19
10. Training and Education
a. The It Risk Manager and the Compliance Department are responsible for maintaining and
disseminating information on mobile data safeguards.
b. Managers are responsible for ensuring that team members that use portable devices or mobile
data have been appropriately trained in NAME OF HOSPITAL Health policies and procedures
for the protection of such devices and data.
11. Documentation
a. Procedures for mobile data protection must be in writing.
b. Policies and procedures and evidence of compliance must be retained for six (6) years.
F. Implementation Guidance
1. Impact on Risk Assessment
The analysis and management of risk usually has to be modified if a system is installed in a vehicle or
is portable, such as a laptop computer. The system in a vehicle will share the risks of the vehicle,
including accidents and theft, as well as regional and local risks.
Encryption of data files on stored media may also be a cost-effective precaution against disclosure of
confidential information if a laptop computer is lost or stolen.
Portable and mobile share an increased risk of theft and physical damage. In addition , portable
systems can be "misplaced" or left unattended by careless users. Secure storage of laptop computers
is often required when they are not in use.
If a mobile or portable system uses particularly valuable or important data, it may be appropriate to
either store its data on a medium that can be removed from the system when it is unattended or to
encrypt the data. In any case, the issue of how custody of mobile and portable computers are to be
controlled should be addressed. Depending on the sensitivity of the system and its application, it
may be appropriate to require briefings of users and signed briefing acknowledgments.
2. Asset Recovery Versus Data Protection
Data protection should take precedence over protection of the asset on which it resides. Therefore,
data encryption should be considered before automatic disk wipe or asset recovery technology.
IM-24
Mobile Data Protection; Portable Devices
Page 12 of 19
G. Exhibits
1. Portable computing/communication device user agreement (separate document)
2. Sample request, approval and agreement for use of personal digital device (separate document)
3. Protection Options for Laptops
4. Typical Wireless Network Options for Mobile Computers
5. Examples of Mobile Phone Malware Threats
6. Protection Options for USB Flash Drives
H. References
Mobile and Wireless Device Addendum to the Wireless Security Technical Implementation Guide, Version 1 release 1,
U.S> Department of Defense, October 2005.
Scalet, Sarah D. How to Keep Portable Data From Escaping, CSO, May 2006.
Jansen, Wayne. Authenticating Users on Handheld Devices, National Institute for Standards and Technology
Jansen, Wayne. Authenticating Mobile Device Users Through Image Selection, National Institute for Standards
and Technology.
SP 800-72, Guidelines on PDA Forensics, National Institute for Standards and Technology.
IM-24
Mobile Data Protection; Portable Devices
Exhibit 1
Sample Portable Computer/PDA User Agreement
This exhibit has been made a separate document.
Page 13 of 19
IM-24
Mobile Data Protection; Portable Devices
Page 14 of 19
Exhibit 2
Sample request, approval and agreement for us of personal digital device (separate document
This is a separate document maintained on the NAME OF HOSPITAL intranet.
IM-24
Portable Computing Devices
Page 15 of 19
Exhibit 3 - Protection Options for Laptops
IM-24
Portable Computing Devices
Page 16 of 19
Exhibit 4
Typical Wireless Network Options for Mobile Computers
IEEE 802.11
The 802.11 standard developed by the Institute of Electrical and Electronics Engineers (IEEE) provides a specification for
wireless transmission of information in Wireless Local Area Networks (WLAN). Currently, a variety of 802.11 specifications exist.
The most widely used is 802.11b. IEEE 802.11a and 802.11g are other popular types using the Ethernet protocol and carrier
sense multiple access with collision avoidance (CSMA/CA) for path sharing. The most recently ratified 802.11i standard
(approved June 2004) provides an improvement to security in terms of encryption and authentication requirements.
Bluetooth
There are numerous ways devices can be connected to one another using a cable, including the following:
• Personal digital assistant (PDA) and a docking cradle
• Printer and a laptop
• Headphones and a portable compact disk (CD) player.
Bluetooth (not to be confused with Wireless Fidelity [Wi-Fi]) is a cable replacement technology that uses a short-range radio link
to communicate information that typically is sent over a wire. This information may include voice or data.
Bluetooth uses the modified SAFER+ algorithm to encrypt its payload. This algorithm is not Federal Information Processing
Standard (FIPS) 140-2 compliant. Unlike Wi-Fi, Bluetooth is not FIPS 140-2 compliant, nor is it permissible to use Bluetooth to
transmit or receive classified information (e.g., Secret, Top Secret) unless approval by the Designated Approving Authority
(DAA) is granted.
Security flaws do exist in the latest Bluetooth 1.2 standard, the most important of which is the pairing security flaw. During
pairing, a personal identification number (PIN) must be entered. In many commercial off-the-shelf (COTS) Bluetooth devices,
PINs are only four digits long, which may be insufficient. When possible, PINs should be made as long as possible. A four-digit
pin can be cracked in <1 second and a six-digit PIN in 10 seconds; however; according to a recent publication from @Stake, Inc.,
a 16-digit PIN will take 1 million days to crack. An additional flaw in the latest 1.2 Bluetooth standard regards impersonation. The
device hardware address (Media Access Control [MAC] address) can also be spoofed if mutual authentication does not occur. The
MAC address is used in key creation, but this is not as much a concern as using no mutual authentication. MAC address spoofing
is not specific to Bluetooth; it can also occur with devices using wireless 802.11 or wired Ethernet standards. As a result of these
insecurities and flaws, the use of Bluetooth is prohibited in all cases for transmitting or receiving unclassified or classified
information.
Infrared Radiation
Infrared (IR), which operates a frequency between microwaves and visible light, is used in various wireless devices for
transmitting information, monitoring services, and controlling applications. The most commonly incorporated IR component is in
laptops computers and PDAs. Many wireless device manufacturers have turned on IR functionality in their default settings,
leaving these devices vulnerable to device infiltration and information hijacking.
Cellular Transmission
Cellular transmission is a form of wireless transmission defined as a type of short-wave analog or digital connection to a local
cellular tower. Communication is between a mobile device (typically a mobile phone with cellular—digital or analog, Global
System for Mobile Communications [GSM], Code Division Multiple Access [CDMA], or Evolution-Data Only [EV-DO]
capability) and a service tower.
IM-24
Mobile Data Protection; Portable Devices
Page 17 of 19
Exhibit 5
Examples of Mobile Phone Malware Threats
Source: How to Keep Those Handsets Clean, www.csoonline.com, October 2006, accessed 11/29/06.
The Doomboot trojan perpetrates denial-of-service attacks by billing itself as "Warez"—premium
games that have been compromised to allow free use. Devices work until they are rebooted. Doomboot
enters via Bluetooth's discovery mode, the Web and e-mail.
Cardtrap spreads to phone memory cards—which can be inserted in computers to sync up a music
download, picture or ringtone—where it can infect again.
Redbrowser is a Russian wireless application protocol browser that offers itself to users who don't have
one. It offers to send free SMS messages but actually charges the user $5 to $6 per message.
Crossover detects and infects devices via an ActiveSync connection for Windows PCs. It can spread
from phones to computers. Crossover has not been detected in public yet; in concept it fills up phone
memory with useless data and exhausts phone resources
Buffer overflow vulnerabilities exist in the Windows Mobile software, according to Fogie, in cases
where an application has not been programmed to properly check the format of incoming data. Such
attacks will become more prevalent as the platform grows, Fogie says.
IM-24
Portable Computing Devices
Page 18 of 19
Exhibit 6
Protection Options for USB Flash Drives
Product
DeviceWall
Sanctuary Device Control
EndPoint Security
Protector
Company
Centennial
Lumension
Gfi
Safend
Website
www.centennial-software.com
www.lumension.com
www.gfi.com
www.safend.com
Price
Varies from approximately $25 per
user for 250 seats
Varies from approximately $45 per
seat
Varies from approximately $700 for
25 computers to $4,000 for 500
computers
Varies from $32 per seat scaled for
volume depending on size of
implementation.
Overview
DeviceWall secures network
endpoints against the risk of
accidental or deliberate security
breaches and locks down the
unauthorized use of removable
media devices, such as USB
drives, MP3 players, PDAs and
even CDs.
Device Control can secure against
many I/O devices such as USB
drives, firewire, Wi-Fi and Bluetooth
as well as securing ports
EndPoint Security actively manages
user access and logs the activity of
media players including iPods, USB
drives, CompactFlash, memory
cards, CDs and other portable
storage devices, PDAs, BlackBerry
handhelds, mobile phones, smart
phones, network cards and laptops
Protector detects and allows
restriction of devices by device
type, model or even specific device
serial number. For storage devices,
Protector either blocks all storage
devices completely, permit readonly, encrypt all data on devices as
well as monitoring, blocking and
logging files that are downloaded to
or read from these devices. WiFi
controls are based on MAC
address, SSID, or network security
level.
Functionality
Features that focus on USB
security include the ability to give
permission to certain USB devices
and blocking only the use of USB
thumb drives. Device Wall provides
encryption to USB drives and a rule
can be set that the drive must be
encrypted in order to be used.
Device Control can block USB
devices based on policy set-up for
either a single user, group or users
or a computer. This product works
on the basis of whitelisting devices
and can also provide encryption to
removable media.
EndPoint Security has the ability to
control specific ports on client
machines via Active Directory.
Policy can be put in place to grant
or deny users or groups of users
access to USB ports, as well as
other ports such as firewire and
other removable storage media.
Features provide USB security both
at the interface and removable
media levels. At the media level,
this product can provide encryption
to removable USB keys and also
forensic reporting of all data moving
in and out of the organization. At
the interface or port level, it can
restrict based on existing Active
Directory users or computers.
Devices can also be restricted
based on type, model or a specific
serial number.
Installation
The installation consists of putting
in the CD and starting the
installation wizard.
The installation process is guided
by an HTML document that
provides a step-by-step deployment
process with links to executables
and installers needed.
The installation consists of a fully
automated installation wizard.
There are many useful wizards that
help create policy and add users to
the policy.
The set-up wizard makes
installation straighforward.
SafeGuard Removable Media
Utimaco
www.utimaco.com
Varies from $52 per seat plus
maintenance
Sole purpose is to ensure that no
data leaves the computer on a USB
drive without being encrypted first.
In addition to using encryption, the
key-ring feature allows multiple
users to share the same data. Both
encrypted and unencrytped data
can be stored on the same USB
device. Operation is transparent to
the user.
Installation is simple.
IM-24
Mobile Data Protection; Portable Devices
Page 19 of 19
Product
DeviceWall
Sanctuary Device Control
EndPoint Security
Protector
Company
Centennial
Lumension
Gfi
Safend
Website
www.centennial-software.com
www.lumension.com
www.gfi.com
www.safend.com
Integration
Integrates with a current Active
Directory structure.
Integrates with either an Active
Directory domain or Novell
Network. Device Control can work
directly with groups already created
or users/computers currently in the
domain providing permissions
based on drives or ports.
Integrates with Active Directory and
offers control over other devices
beyond USB such as media players
and PDAs.
Integrates with Active Directory to
control both removable media and
the actual ports on specific
machines. Also, detail is provided
for policy granularity and total
control of the environment.
Documentation
Documentation is available on the
vendor website as a PDF file. It
provides step-by-step instructions
on configuring and managing
DeviceWall.
Device Control has useful
documentation, including setup/deployment guides and
architecture layouts.
Documentation for the user manual
and installation guide contain plenty
of detail and sets of instruction,
labeled screenshots and charts.
Documentation consists of user and
installation guides.
Support
Support is limited to customers with
full versions of the software.
Support content is web-based and
a license key is needed to get
access to the site.
Product support and maintenance
are included as part of the product
purchase. Professional services
are available for policy assessment
and development and product
implementation.
A software maintenance agreement
is required. Their website includes
a support area with product
documentation, forums, knowledge
base along with phone and email
support.
Web-based email support is offered
as part of the product's one year
maintenance agreement.
Maintenance is included in term
licenses.
Comments
This is the recommended product
for its simple deployment, easy
manageability, features and great
value for any size environment.
This product is a possible
consideration for its flexibility and
strong features.
SafeGuard Removable Media
Utimaco
www.utimaco.com
It can use Active Directory.
Documentation is provided with the
product in a PDF file.
Support is by subscription. There is
a public area of FAQs and a
knowledge database.