Blogs

HHS recommends several policy approaches to managing mobile devices, along with 11 specific steps organizations can take, and which would apply to any public-sector agency that deals with sensitive information.

1. Use a password or other user authentication
Configure mobile devices to require passwords, personal identification numbers or passcodes for access, and set the devices to lock their screens after a set period of device inactivity.

2. Install and enable encryption
Activate the device's built-in encryption capabilities. If no such capabilities exist, install encryption software.

3. Install and activate remote wiping and/or remote disabling
Use remote wiping to permanently erase data on a device that has been lost or stolen. Remote disabling can lock data, making the device usable if it is recovered.

4. Avoid file-sharing applications
Disable file-sharing apps that are on a device, and do not install any new ones. File-sharing software enables collaboration and the trading of files but also provides a way for unauthorized users to access mobile devices.

5. Install and enable a firewall
Use a personal firewall on individual devices that will detect attempts to connect and will allow or block connection based on pre-set rules.

6. Install and enable security software
Protect against malicious applications, viruses, spyware and malware-based attacks with security software.

7. Keep security software up to date
Ensure security software is current.

8. Research mobile apps before downloading
Only install and use apps from known, reputable providers and verify that an app performs only the functions it should.

9. Maintain physical control
Keep mobile devices in locked drawers if they are not being carried by the user. Device screens should be locked, and users should not share devices.

10. Be careful with public Wi-Fi networks
Do not send or receive health information via a public Wi-Fi network unless it has secure, encrypted connections.

11. Delete all stored health information before discarding or reusing the mobile device
Follow HHS guidance to remove health information and other sensitive data before throwing out or reusing a mobile device.