The BIDMC Mobile Device Security Initiative

For several years BIDMC has had an administrative policy requiring special security safeguards for mobile computing devices that connect to the data network.   Many of these devices are locally administered or personally owned.   Given state and federal regulatory changes, increased use of consumer devices to access/store data, and increased visibility of privacy related incidents, we believe that policy alone is inadequate to assure mobile devices have proper security safeguards.

As part of our Summer of Compliance activities, we are taking active technology and process steps to enhance mobile device security.

Here's an excerpt of what we'll be sending to all staff:

"Below are minimum requirements for mobile devices connecting to the BIDMC network.   Rather than rely on policy alone, we will be installing these configurations on devices connecting to our data network.   We have already begun phasing in some of these such as passwords on devices using Exchange Activesync and will continue until all mobile devices connecting to the BIDMC network are compliant.  

Password protection – The device must require a password or equivalent security feature before it can be accessed.  

Timeout – The device must be set to timeout and require re-entry of the password if not used for over 15 minutes.

Anti-Malware Protection – Laptops must have an up-to-date anti-virus software application installed.   The device’s operating system and third party applications such as Adobe, Microsoft Office, Java, and others must be properly patched.  

Unnecessary Software and Services – Wireless interfaces and applications such as Bluetooth must be disabled when not needed.   [

Encryption – The data must be encrypted.   Massachusetts law requires this if the device contains information protected under the State’s data privacy regulations.   HIPAA provides safe harbor if the entire storage disk is encrypted and there is a pre-boot authentication.     In a communication next week, I'll outline our aggressive mobile device encryption program.

Custody – The mobile device should be kept in your possession when traveling or in an uncontrolled environment such as a hotel room.   Prevent unauthorized persons from accessing sensitive content stored on the device or using it to access the BIDMC network.

Backup Protection – Protected health information or other confidential BIDMC data should ONLY be backed up using BIDMC data storage resources, e.g. your home directory.   Using public Internet cloud storage services to backup BIDMC sensitive information is prohibited.  "

I welcome feedback on your experience implementing such policies and technologies.   It's clear to me that healthcare organizations have no choice but to reduce personal choice and personal freedom in order to keep our patient data safe.