Organizations have come to rely on a variety of mobile devices for daily operations, telehealth/telework solutions, and medical device interfaces. Protecting the data that is transmitted or stored by devices such as cellphones, notebook computers, and tablets from unauthorized users is of critical importance. Approximately 3% to 6% of security incidents reported each year since 2018 have involved lost or stolen mobile devices. The risk of loss or theft can be compounded when:
- The organization’s systems and data may be accessed on both organization-owned/managed devices and users’ personal devices
- Mobile devices are often used outside of the organization’s facilities
- Users may not be aware of the security and privacy risks associated with using mobile devices
The official function of a mobile device (telehealth, EHR data entry, remote access, etc.) should be clearly defined for the workforce. Technical and operational controls should then be implemented to protect the devices while in use and in the case of loss or theft. Key controls include:
- All users should receive Security Awareness Training that includes guidance on the use, transportation, and protection of mobile devices
- Users should be instructed to immediately report a lost or stolen device to the organization’s Information Security Department
- Device security options such as confirming encryption, requiring a PIN or passcode, disabling local storage, and disabling screenshots should be enabled and enforced
- A mobile device management (MDM) solution can be used to configure, deploy, and track both organization-owned and personal (BYOD) mobile devices
- Establish the process for remotely erasing a lost or stolen device, either on-demand or when an unauthorized party fails to authenticate on the phone a predetermined number of times
By taking effective steps to prevent and minimize the impact of a lost or stolen device, you can minimize the risk to your organization.
