Tips for securing mobile devices used in health care

Hackers target cell phones because the handheld computers are treasure troves of personal information – and health care data and corporate intelligence if doctors use them on the job.

“Devices should be physically secured at all times, including at the enterprise facility, at the residence of the user, and in transit,” according to the Health Sector Cybersecurity Coordination Center checklist. “Precautions should be taken by the user to ensure passwords, private health information, and other sensitive data are always secure.”

“Mobile devices are prevalent in the health sector, and due to their storage and processing of private health information (PHI) as well as other sensitive data, these devices can be a critical part of healthcare operations,” according to the Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health and Human Services (HHS).

“As such, their data and functionality must be protected,” said the updated “HPH Mobile Device Security Checklist” published by HC3. That agency and the Office of the National Coordinator for Health Information Technology (ONC) have tips on securing mobile and handheld electronic devices.

One of the easiest ways: Don’t let it fall into the wrong hands, literally.

“Devices should be physically secured at all times, including at the enterprise facility, at the residence of the user, and in transit,” the HC3 list said. “Precautions should be taken by the user to ensure passwords, PHI, and other sensitive data are always secure.”

HC3’s latest tips include:

Control wireless broadcasts. Wireless Internet access, Bluetooth connectivity and broadband cellular connections should be disabled and connection specifications should be deleted when not needed.

Limit connectivity. Be cautious about which networks you connect to, especially public or untrusted networks.

Limit apps. Hackers can enter through apps, so only use the minimum number of required applications, to reduce the device attack surface.

Authentication. Passwords should be complex and changed periodically, and should be masked when users enter them. Use multifactor authentication when practical. Screens should lock after a period of inactivity.

Encryption. End-to-end encryption is recommended for all mobile devices and is required by the Health Insurance Portability and Accountability Act for protected health information.

Backup data. HHS recommends a 3-2-1 approach, with health data stored in three copies, with two on different mediums, and at least one offline.

Use security software. Software to prevent viruses, spyware, and other cyberattacks should be installed as available.

Configuration. Operating systems, apps, and security software should be configured for full functionality, then maximum security.

Time to remind. Use periodic reminders, such log in prompts, to remind users they are handling sensitive health information that must be protected.

Remote wiping. Mobile devices should have a way to erase data remotely if a device is reported lost or stolen.

Inventory tracking. Keep track of all mobile devices, whether company-issued or personally owned, that are used for PHI. Devices that go out of service must have data wiped out.

More information about health care cybersecurity is available through the HC3 website and the ONC website, HealthIT.gov.

This article first appeared on our sister site Medical Economics.