Mobile Device Security Checklist – Ep 401 

The importance of mobile device security cannot be overstated. With our lives becoming increasingly digital, it is essential that we take the necessary steps to secure our devices. By doing so, we can protect our data and our privacy, while also preventing malicious actors from gaining access to our accounts.

In this episode:

Mobile Device Security Checklist – Ep 401

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Say What!?!

When it comes to a BA, that one’s pretty easy. They should not have access to user disclosed PHI until there’s a BAA in place. Period. And you really should vet them beforehand as well. Actually, vetting them should come even before you have the BA sign the BAA..

As for employees, your training is supposed to train them on your privacy and security policies, not just HIPAA privacy and security concepts. If you’ve got somebody that’s interacting with patients, they absolutely should not do it until they’ve had proper training on your policies and procedures. Depending upon the job role of the new employee, you could wait a few days for HIPAA training as long as they aren’t interacting with patients.

Mobile Device Security Checklist

The list is probably overwhelming to most folks who try to read it unless they are more technologically savvy. The list would launch the techie folks into a huge debate. So, we might as well get it over with and review it before someone brings it up.

HC3: HPH Mobile Device Security Checklist

• Controlling wireless broadcasts – They start off with this item which includes the recommendation “capabilities should be disabled and connection specifics should be deleted when not needed”. This isn’t exactly “basic” and will require some discussion between IT and the organization.
• Limit connectivity – This involves being cautious of which networks users connect to, especially public networks and other untrusted networks. This includes ensuring home networks are using reputable access points and VPNs, plus making sure that adequate security features are enabled and the devices stay up to date on the latest firmware releases. This is hard to enforce on staff member’s personal devices.

• Application and software deployment limits – The fewer applications you have on any device, the less problems you’re going to have because you have less risk involved. This can be achieved by blacklisting and whitelisting applications that can be installed. But if you’re not using company owned devices, that’s almost impossible to manage.
• Operating system and software updates – Ensure all devices and applications are running the latest release of operating systems and have software patches installed.
• Authentication – Have unique userids for everyone. Enforce strong password requirements (using NIST guidelines is a good option). Use screen lock capabilities and MFA everywhere it’s available.
• Encryption – “End-to-end encryption is recommended for all mobile devices.” In HIPAA, encryption is addressable. But it is highly recommended that all mobile devices (tablets, smartphones, laptops, etc) are encrypted. All mobile devices have encryption capabilities. Most importantly, make sure it is documented.

• Data backup and cloud storage – HHS recommends applying the 3-2-1 rule that states to maintain at least three copies of the data, store them on two different mediums, with at least one copy stored offline. This is not an unusual requirement for good security.
• Endpoint Security software – Security software that can prevent viruses, spyware and cyberattacks should be installed on all devices, as available. Many IT departments are using multiple layers of software apps that protect networks. No matter what you use, don’t use Free software. Use software from reputable vendors.
• Configuration management – Configure software for full functionality and then maximum security. An argument can be made to implement security first within applications and then configure it for full functionality.
• Content and conversations – This involves sending periodic reminders to users that they are accessing/using/sending/receiving sensitive information and it’s their responsibility to protect that information while it is stored on their devices and while being transmitted.
• Physical security – Mobile devices should be physically secured at all times, including while in the office, in a car, while traveling, at user’s homes, etc.

• Remote wiping – Mobile devices should be capable of being remotely wiped. Also, users should be required to report lost or stolen devices immediately so that the device can be wiped.
• Inventory tracking – All devices, especially mobile devices, should be inventoried and tracked. This includes company owned devices as well as BYOD devices. When devices are no longer in use, they should be properly decommissioned so that sensitive data can be made unretrievable.

This mobile device security checklist is a good one to start with. It is targeted to technical folks but the items on the list should be discussed with management and users. Mobile device security is important and it’s something that all organizations should address.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.