Top 5 tips for mobile device compliance

As more employees use their personal mobile devices at work, it is vital that healthcare organizations have a "policy to in place to keep their employees productive and their data safe," says one expert.

Michael Maloof, chief technology officer for TriGeo Network Security, Inc., a provider of security information and event management solutions based in Post Falls, Idaho, says that in order for HIPAA policies to be maintained, it is critical that organizations' human resources and IT departments work together to educate employees on mobile device policies.

It is important to remember that if an organization falls short, "they will be held liable and people will lose their jobs." Maloof says. He calls this a "business-ending event."

Maloof shared with Healthcare IT News his top five tips for maintaining compliance in a healthcare setting

1. Develop, communicate and enforce a clear personal device policy. First off, says Maloof, "you can't ban – it is just not practical to ban personal devices." Today, employees are using their phones and iPads as "personal productivity tools," he says. Instead of banning, organizations should have a policy that ensures employees have a "legitimate business use for the device." They should be asking, "What do they intend to do with these devices" he says. "These devices should not be a repository for data." For example, doctors shouldn't be copying patient data onto a personal device to work on at home later. Organizations should also have systems in place that can monitor and alert them if employees are in violation. 
2. Control USB device usage (ban them altogether, or block access to certain users and allow only encrypted devices). According to Maloof, "there are very few legitimate use cases for a USB devices." The vast majority of organizations shouldn't need to use these, but for those that do, you can control it quite granularly." For instance, organizations can create policies that say "this user can use this key for X" and match it to a serial number to monitor its use. And data should always be encrypted.
3. Allow only properly-secured mobile devices. It is possible to have corporate policies when it comes to employees using their personal phones at work, says Maloof. Organizations can have a policy that says employees must register their phones with them. This way if the phone is lost or stolen it can be wiped clean. "That is a minimum security policy," he says. Policies regarding the installation of certain apps are also a way to prevent them from installing a "trojan or malware designed to work its way into the corporate network," he adds.
4. Round-the-clock network monitoring and alerts. Organizations should have systems in place that allow them to monitor devices to generate event traffic, says Maloof. For example, if there is a failure to log on to a device, this should trigger an alarm that there is a problem. Or an alarm should be triggered if an authorized USB has been plugged into a machine that is not its normal location. This is especially important, Maloof says, because USB devices are still the number one concern for organizations today since they are "so small but can hold so much data." 
5. Event correlation. An organization should have a system in place that allows them to "assemble all the pieces to get a picture of the puzzle," says Maloof. A million events could occur each day, he adds, and it would be like finding a "proverbial needle in a haystack to sort out which events correlate with  suspicious activity." The system should be able to correlate which events should be top priority.