HC3 has recently released a mobile device security checklist aimed at supporting healthcare organizations in mitigating prevalent cybersecurity risks and bolstering the security of patient data. The healthcare sector employs an extensive range of mobile devices, with many of them linked to networks and tasked with collecting, storing, and transmitting patient data. Given their critical function in healthcare operations, large hospitals may potentially use thousands of these devices.
Nonetheless, these indispensable devices considerably widen the scope for potential attacks and often contain weaknesses that could be leveraged to gain access to patient information and the healthcare networks they connect to. The risks linked to these devices are contingent on their attributes and usage. Devices might get lost, be stolen, connect to unsecured Wi-Fi networks, or feature software and applications with exploitable vulnerabilities, leading to unauthorized network access or the installation of malware or ransomware.
To address these concerns, HC3 has developed a user-friendly HPH Mobile Device Security Checklist that offers recommendations for securing these devices, covering fundamental aspects of security that should be considered for all mobile devices used in healthcare settings:
- Control wireless broadcasts: Disable wireless communication protocols, such as Wi-Fi, Bluetooth, and broadband cellular, when not in use and delete connection specifics.
- Limit connectivity: Exercise caution when connecting to networks, particularly public or untrusted ones. Use VPNs for residential connections, reputable access points and modems, and ensure proper security features are configured and updated. Establish connections to corporate infrastructure through authorized and encrypted wireless networks.
- Set application and software deployment limits: Minimize the number of deployed applications to reduce the device’s attack surface. Ensure applications are appropriate for handling the data they store and process. Healthcare organizations can choose to whitelist or blacklist applications as needed.
- Keep operating systems and software updated: Update devices and applications promptly. Implement automatic updates and installations, as long as they don’t interfere with device operations.
- Establish authentication requirements: Implement password policies, complexity requirements, and periodic password changes. Mask passwords as they are entered and use multi-factor authentication where feasible. Enable screen lock capabilities after a set period of inactivity.
- Use encryption: The Health Insurance Portability and Accountability Act (HIPAA) mandates encryption for devices that store or process any of the 18 categories of PHI. Implement end-to-end encryption on all mobile devices. Utilize built-in encryption capabilities and add additional encryption software as needed.
The HPH Mobile Device Security Checklist is part of a growing array of free security resources for healthcare organizations and critical infrastructure entities. For example, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched the Ransomware Vulnerability Warning Pilot (RVWP) to help these entities proactively address vulnerabilities.
Through the RVWP, CISA identifies vulnerable systems and swiftly alerts system owners via phone or email, equipping them to tackle emerging cyber threats. Notifications include key information about the vulnerability and guidance for effective mitigation.
By implementing HC3’s recommended measures, healthcare organizations can better protect their mobile devices and the sensitive data they contain, ultimately safeguarding patients’ privacy and ensuring the continued security of healthcare operations.