Mobile Device Policy
This Policy applies to all mobile devices that are used for business purposes.
Mobile device theft (particularly of mobile phones) is one of the fastest growing criminal activities in the U.S. Such theft poses a significant risk that an employee’s personal identification data may be compromised (possibly leading to identify theft) and/or that sensitive business/patient information may be disclosed (possibly leading to regulatory sanctions of the enterprise, civil or criminal penalties imposed on the employee and enterprise, and reputational harm). In today’s changing technological environment, minimizing risk to the employee and enterprise is critical.
The purpose of this Policy is to ensure that all business information stored on and transmitted using a mobile device is secured using an industry best practice standard that meets all regulatory requirements. This Policy defines individual responsibilities and the necessary security provisions for mobile devices such as laptop computers, smartphones, and tablets. This Policy applies to any mobile device which is used to access IT resources managed by the University of Maryland School of Medicine ("SOM").
- SOM Mobile Device: A SOM Mobile Device is broadly defined as any laptop computer, smartphone, tablet, etc. that is purchased and maintained by SOM for business purposes.
- Personal Mobile Device: A Personal Mobile Device is broadly defined as any laptop computer, smartphone, tablet, etc. that is purchased and maintained by an individual and is used for business purposes.
- Sensitive Data: Sensitive Data is broadly defined as information that must be protected against unwarranted disclosure. Access to Sensitive Data must be safeguarded in accordance with legal and regulatory standards, IT best practices, and organizational policy. The local storage of Sensitive Data on mobile devices should be minimized or risk managed in accordance with the employee's duty requirements. Some examples of Sensitive Data include information on research subjects, protected health information, financial data, employee records, students’ grades, grants, contracts, and intellectual property.
- Electronic Protected Health Information (ePHI): Electronic Protected Health Information (ePHI) is broadly defined as electronic information about patients which must be protected from unwarranted disclosure in compliance with the HIPAA Security regulation. The local storage of ePHI should be minimized if not avoided all together. As a general rule, ePHI should only be accessed, stored, and exchanged through approved SOM file systems and data storage locations.
All SOM faculty, staff, students, and other designated users are required to comply with this Policy to ensure that any and all Sensitive Data or ePHI stored on or transmitted through use of a SOM Mobile Device or Personal Mobile Device is secure (i.e., protected).
Individual users are responsible for:
- Using a non-trivial password and/or biometric authentication as supported by the mobile device and required by SOM policy;
- Using secure network connections that are encrypted and require authentication, when possible;
- Using the mobile device in a lawful and responsible manner to avoid placing the employee or the organization in a position of liability for civil or criminal penalties (e.g., not taking unauthorized photographs or recordings);
- Configuring the mobile device according to the SOM configuration standards outlined in Section I;
- Reporting the loss or theft of a mobile device immediately to SOM administration; and
- Disposing of the mobile device following the procedures in Section IV below.
All SOM faculty, staff, and students are obligated to adhere to this Policy. Failure to do so may result in disciplinary action, as outlined in the University’s policies.
SOM will identify and implement appropriate technologies and processes for the security of SOM managed resources and the data which the organization has a responsibility to protect (see Implementation under Policies & Procedures). These technologies and safeguards apply, but are not limited, to mobile devices including laptop computers, smartphones, and tablets.
I. MOBILE DEVICE CONFIGURATION
A SOM Mobile Device will be configured by SOM IT to be compliant with the mobile device policy.
SOM faculty, staff, and students who wish to use a mobile device to access and/or store Sensitive Data or ePHI must comply with the mobile device security standards, as updated from time to time, including:
- Apply operating system updates in a timely manner, either initiated by the end-user or applied automatically through configuration settings.
- Install an anti-virus/anti-malware security suite as per existing policy.
- For laptop computers: install and configure an approved full disk encryption solution in accordance with the current SOM disk encryption standard (i.e., AES-128) and recommended software (e.g., Bitlocker, SecureDoc, FileVault).
- For smartphones and tablets: set full mobile device encryption as available for the mobile device model.
- Enable a non-trivial login password and/or biometric authentication as supported by the mobile device and required by policy.
- Enable timeout or switch to a locked screensaver after less than 15 minutes, with a password required to unlock the device, as outlined in, and in compliance with, the University’s workstation policy.
Note: Mobile devices (e.g. laptops) that run executable programs that might be interrupted due to the activation of an automatic timeout or locked screensaver can use an alternate technical or physical security control to limit uncontrolled access to the device.
- Comply with the user policy training and acknowledgement as outlined in Section V below.
SOM IT resources will assist the end-user to ensure the mobile device is properly configured according to SOM security controls.
II. REMOTE ACCESS AND SECURE DATA TRANSMISSION
To minimize the risk of data transmissions between a mobile device and organizational resources being logged, intercepted or changed, all SOM faculty and staff who wish to use a mobile device to access SOM data or applications must comply with all current SOM remote access policies.
When an employee requests remote access to SOM IT resources (e.g., email to be set up on their smartphone) SOM will ensure that the mobile device is properly configured for remote use.
III. REPORTING A LOST OR STOLEN MOBILE DEVICE
- Immediately report the theft/loss Of a mobile device to your supervisor and department/division leadership.
- If ePHI is stored or is otherwise accessible on or through the mobile device, report the theft/loss to the applicable privacy officer.
- Report the theft and details of the incident to the Campus Police (or police division where the incident occurred).
- Contact and report the theft/loss to the SOM Helpdesk -- email@example.com.
- SOM will work closely with the individual to minimize the potential exposure and disclosure of sensitive business and/or personal data that might be on a stolen/lost mobile device.
IV. SAFELY DISPOSING OF A MOBILE DEVICE
Mobile devices typically hold personal information, such as contact information for family and friends, call history, personal photos, stored passwords, and potentially Sensitive Data or ePHI that cannot fall into the wrong hands. As such, there are some basic steps that should be taken prior to returning, disposing of or passing ownership of your mobile device to someone else.
Step 1: Wipe your mobile device by initiating a "factory reset". Follow the instructions in the mobile device manual or check the website of your mobile provider or mobile device manufacturer.
Step 2: If disposing of and replacing a SIM and/or memory card, remove and physically destroy (e.g., shred) the card(s). If transferring cards to a new mobile device in your possession there is no need to wipe the card.
Step 3: After you have deleted all information on the mobile device, double-check to make sure all personal information, Sensitive Data and ePHI has been removed, including apps that you might have downloaded and installed.
Step 4: For a Personal Mobile Device, discard the mobile device with care. Mobile devices may contain hazardous chemicals and should be either recycled or donated. SOM IT staff can assist with safely wiping and disposing of the mobile device in an environmentally conscientious manner.
Return the SOM issued mobile device to SOM IT for disposal in a manner compliant with asset disposal practices.
V. MOBILE DEVICE RISK AWARENESS & STAFF ACKNOWLEDGEMENT
All SOM faculty and staff are currently required to complete compliance training in areas applicable to their duties (IRB, IACUC, EHS, HIPAA, etc.). SOM staff desiring to access Sensitive Data or ePHI on a mobile device will be provided with a best practice guide for mobile devices. Onboarding for new employees will include a security awareness and best practices overview with an emphasis on the additional steps that need to be taken to protect Sensitive Data or ePHI on a mobile device. Employees will need to acknowledge acceptance of the Statement of Security Policy.
VI. FPI/SOM MOBILE DEVICE SUPPORT
For more information or to schedule the installation of any of the above referenced technologies, please contact the SOM IS Helpdesk at firstname.lastname@example.org or the local IT support for your department.
Support for mobile devices is limited to configuration of security settings and connectivity to resources. Mobile device and carrier support is not covered within the scope of this Policy.
APPENDIX: REGULATORY REQUIREMENTS AND REFERENCES
Mobile Device Privacy and Security, March 2014. http://www.healthit.gov/providers-professionals/five-steps-organizations-can-take-manage-mobile-devices-used-health-care-pro
Managing Mobile Devices in Your Health Care Organization, December 2012. http://www.healthit.gov/sites/default/files/fact-sheet-managing-mobile-devices-in-your-health-care-organization.pdf
Guidelines for Managing the Security of Mobile Devices in the Enterprise, June 2013.