Healthcare Consultant and Business Advisory CPA | HORNE

Don't Forget Phone Security

Written by HORNE Healthcare | October 08, 2015

If I had to guess, I’d say you are reading this on your iPhone, iPad, Galaxy or some other mobile device. I’m not clairvoyant; research shows more than half of all emails are opened on mobile devices. It’s likely that if you use tablets or smart phones, you use them in almost every facet of your life from communicating with your friends, family members and work associates to helping with homework, paying bills and working from home. Fortunately, the security built into the systems is generally adequate for most of your personal needs. 

What happens, however, when a business allows its employees to access company networks, email and data remotely? Security becomes a much thornier issue.

Cyber attacks are very real threats to businesses of any size. If you have data and a connection to the Internet, you are at risk. As a result, management must balance the convenience of mobile devices against the need to secure the organization’s data.

We recommend creating a written policy concerning the use of mobile devices that details what is allowed and what isn’t. Ask employees using personal devices to sign an acknowledgement of the policy. Clearly communicate that it may be necessary to wipe a personal device clean if it’s lost or stolen or when the employee leaves the company.

Here is a list of some of the more important issues we think should be included in such a policy.

The policy should:

  • Specify whether corporate or client data can be stored on the device.
  • Require use of encryption for mobile devices storing corporate or client data.
  • Require installation of mobile device management software on devices that store company or client data and are used offsite.
  • Require password security for all mobile devices. Secure passwords involve a certain level of complexity and should be changed regularly.
  • Specify device review procedures for employees using mobile devices to process or transmit corporate data. Employees should permit the company to review the devices at any time to ensure that sensitive data is not being stored or transmitted inappropriately.
  • Specify if employees are allowed to use their own devices, a practice known as “bring your own device” or “BYOD.”
  • Specify whether or not devices that have been altered in a process known as “jail breaking” will be allowed. Jail breaking provides users with unrestricted access to the entire file system of their mobile devices, allowing them to circumvent limitations imposed by wireless carriers or phone manufacturers. Problems arise because it is difficult to tell if these devices have previously installed software that would allow a hacker unauthorized access to the business network or files. Prohibiting these devices is recommended.
  • Specify that the mobile device should have settings enabled to prevent the device from automatically connecting to WI-FI hotspots at places such as coffee shops, restaurants or hotels.
  • Specify that the “auto-join” feature for wireless networks is disabled on the device. Hackers can use the mobile device’s history to create their own wireless access points that mimic access points a device previously accessed. If an employee has the mobile device set to join a wireless network automatically, the device could connect to the rogue access point without the user knowing. We recommend instructing users to enable the “Ask to Join Networks” feature to prevent this from happening.
  • Specify the parameters for use of iCloud sync or other comparable services. Include whether iCloud sync is allowed or not. If it is, specify the types of information and data the phone is allowed to auto-sync to the iCloud. If auto-sync settings are not properly configured, sensitive, unencrypted corporate and client files could be sent to the cloud without an employee’s knowledge.
  • Specify how email is to be removed from the device, and require installation of MDM software on all mobile devices used by your employees. Most MDM software can perform either a container wipe, deleting only the emails themselves, or a full wipe of the device. If you adhere to previous recommendations in this list, it may not be necessary to perform a full wipe. If you don’t adhere to suggested policies and only perform a container wipe, you may leave sensitive information stored in other files on the device, such as text messages, third-party applications or directly on the device’s hard drive.

This list of considerations for creating a mobile device policy certainly isn’t exhaustive, but it can provide a good start. Feel free to customize it to your organization. We also recommend that you consult your company’s legal counsel as you craft your policy. Once you have finalized it, it is crucial to educate your employees about its specifics and to communicate the policy’s importance.

 

For weekly insights into healthcare, please sign up here: