Are you protecting your mobile devices? Tghey typically need to support multiple security objectives: confidentiality, integrity, and availability. To achieve these objectives, mobile devices should be secured against a variety of threats.
Centralized mobile device management (MDM) technologies are a growing solution for controlling the use of both organization-issued and personally-owned mobile devices by practice users. In addition to managing the configuration and security of mobile devices, these technologies offer other features, such as providing secure access to computing resources, including your EMR. There are two basic approaches to centralized mobile device management: use a messaging server’s management capabilities (sometimes from the same vendor that makes a particular brand of phone, like Blackberry), or use a product from a third party, which is designed to manage one or more brands of phone. Tier3MD does offer this service.
Practices Should Implement the Following:
- A system threat model – Mobile devices often need additional protection because their nature generally places them at higher exposure to threats than other client devices (for example, desktop and laptop devices only used within the practice’s facilities and on the practice’s networks). Before designing and deploying mobile device solutions, the practice IT or compliance department should develop system threat models. Threat modeling involves identifying resources of interest and the feasible threats, vulnerabilities, and security controls related to these resources, then quantifying the likelihood of successful attacks and their impacts, and finally analyzing this information to determine where security controls need to be improved or added. Threat modeling helps to identify security requirements and to design the mobile device solution to incorporate the controls needed to meet the security requirements.
- Determine the services needed – Most organizations do not need all of the possible security services provided by mobile device solutions. Categories of services to be considered include the following:
General policy: enforcing enterprise security policies on the mobile device, such as restricting access to hardware and software, managing wireless network interfaces, and automatically monitoring and reporting when policy violations occur.
Data communication and storage: supporting strongly encrypted data communications and data storage, and remotely wiping the device if it is lost or stolen and is at risk of having its data recovered by an untrusted party.
User and device authentication: requiring authentication before accessing organization resources, resetting forgotten passwords remotely, automatically locking idle devices, and remotely locking devices suspected of being left unlocked in an unsecured location.
Applications: restricting which applications may be installed (through whitelisting or blacklisting), installing and updating applications, restricting the use of synchronization services, digitally signing applications, distributing the organization’s applications from a dedicated mobile application store, and limiting or preventing access to the enterprise based on the mobile device’s operating system version or mobile device management software client version.
- Security Policy – mobile device security policy should define which types of mobile devices are permitted to access the practice’s resources, the degree of access that various classes of mobile devices may have—for example, practice-issued devices versus personally-owned (bring your own device) devices—and how provisioning should be handled. It should also cover how the organization’s centralized mobile device management servers are administered and how policies in those servers are updated. The mobile device security policy should be documented in the system security plan. To the extent feasible and appropriate, the mobile device security policy should be consistent with and complement security policy for non-mobile systems.
- Testing – Aspects of the solution that should be evaluated for each type of mobile device include connectivity, protection, authentication, application functionality, solution management, logging, and performance. Another important consideration is the security of the mobile device implementation itself; at a minimum, all components should be updated with the latest patches and configured following sound security practices. Also, use of jailbroken or rooted phones should be automatically detected when feasible. Finally, implementers should ensure that the mobile device solution does not unexpectedly “fall back” to default settings for interoperability or other reasons.
For more information on the standards for protecting your mobile devices, see the NIST Special Publication 800-124 Rev 1