Safeguarding Mobile Devices

Not to overstate the obvious, but smartphones and tablets have become commonplace in modern offices. Given their portability, the main threat to these mobile devices is theft (and loss). If a lost or stolen device contains patient data, it can constitute a data breach under HIPAA and state data breach laws. What steps should you take to avoid that?

  1. Encrypt the device. If it isn’t already enabled, encrypt your device. It’s easy to do and can be found within the device’s Settings app.
  2. Always set a passcode/password. A passcode is a four digit PIN code required to use the device. Without one, anyone holding your smartphone or tablet can access everything on it by simply turning it on. For extra protection, nearly all devices offer the option to use a longer alphanumeric password instead.
    A number of phones also allow you to use a fingerprint scanner, though hackers found a way around the technology within days of its initial release.
  3. Turn on the auto-lock function. Right after you set a passcode or password, you should enable the auto-lock function on your device and set it to as short a time period as you’re comfortable with (preferably under five minutes). Aside from saving a bit of battery life, a shorter period makes it that much less likely that someone will stumble upon your phone or tablet while it’s still turned on.
  4. Back up your data. Backing up the data on your smartphone or tablet is fairly easy and it’s the kind of thing you’ll REALLY wish you’d done if your device gets lost, stolen, or just stops working. Backing up can be done by syncing your device to your computer, a work network or online (i.e., through “the cloud”).
  5. Enable remote wiping on your device. In case of loss or theft, personal and business data can be protected from prying eyes. A remote wipe performs a factory reset, erasing all data on a smartphone or tablet. If the device has been backed up, the information can be restored on a replacement (or the original, if you get it back). A number of mobile security apps, as well as Apple’s Find My iPhone/iPad app, can be configured to enable remote wiping. On Apple devices running iOS 7 or higher, Find My iPhone includes an “Activation Lock” feature to prevent anyone who finds or steals your device from being able actually using it.40 Google added a similar feature called “Device Protection” on devices running Android 5.1 or later.41
    Many devices can also be set to do an automatic factory reset after a set number of incorrect attempts at guessing your passcode.
  6. Log out. Always log out of any sensitive online services and accounts when you aren’t using the phone or tablet. Otherwise, if the device is lost or stolen, whoever has it in hand will effectively appear to be you, whether it’s through a social media app… or your bank.
  7. Don’t have any PHI on a mobile device unless you absolutely have to. If you’ll forgive the oversimplification, a hacker can’t steal information that isn’t there in the first place. Another concern is malware specifically designed for mobile operating systems (particularly for Android devices).42 A smartphone or tablet can be exposed to mobile malware via an infected website, online ad or app, or through a weblink or attachment to an email or text message. Most of it isn’t designed to break into a network through the infected device and steal network data, but it can still steal data found on the device itself or simply be a nuisance by inundating your phone or tablet with ads and/or significantly slowing it down. A nasty threat called ransomware (which we will discuss in the next section) also exists for mobile devices. With that in mind, what are the protective measures that you should take to safeguard your devices?
  8. Update your software. Updates to your mobile operating system and any apps on your smartphone or tablet often include security fixes and should generally be downloaded as soon as they’re available. And yes, there may already be some available when you first take it out of the box. There is a one caveat to this; sometimes software updates can have inadvertent negative effects on older mobile devices. If your device isn’t the current one, it’s a good idea to check online first to see if there are any articles or online discussions regarding problems with that update for your model phone or tablet.
  9. Use mobile security software. While security apps won’t protect you from everything, they do offer helpful features including device tracking apps and protection against some mobile malware. There are a number of good free and paid mobile security apps for the Android OS.43
  10. Don’t jailbreak or root your phone or tablet. “Jailbreaking” or “rooting” a mobile device refers to overriding the manufacturer’s settings – including disabling the device’s security settings and future updates – to allow it to download and use apps and other features that are normally not enabled on the device (jailbreaking refers to the process as it applies to an Apple iPhone, iPod Touch or iPad and rooting is much the same for a smartphone or tablet running the Android mobile operating system). The vast majority of mobile malware affects these devices since their security systems are badly compromised by the jailbreaking or rooting process, and they should never be connected to a business computer network. Network monitoring software can detect jailbroken and rooted devices and prevent them from connecting to your network.
  11. Check app permissions (and read reviews). Why would a game need access to your address book? Whenever you download an app, it will request “permissions” which will allow it to use different functions and data on your phone or tablet. It may seem be a little tedious, but you really need to check them before saying yes and downloading the app. Apps requesting unnecessary permissions are especially likely with free versions of normally paid apps and apps purchased from third party app stores. Avoiding either isn’t a bad idea. Also read reviews before downloading them – if there are just a few or a lot of bad ones, play it safe and don’t download the app.
  12. Think before you click. Many tainted websites – including the links in an email or text message – are infected with mobile-specific malware that can be extra tricky to detect, since you can’t hover over the link (to see if it isn’t what it appears to be) with a mobile device. Your best defense against a number of electronic attacks against your mobile device is your common sense. If it doesn’t look quite right or sounds too good to be true, it probably is and you should leave it alone.

Proper disposal of mobile devices is somewhat similar to other types of data disposal, though smartphones and tablets use solid state drive/flash data storage, so any magnet-based attempts to erase the data won’t have any effect. What will? Glad you asked – here are two methods:

  • A properly executed “factory reset” will electronically reset the device to its original unused state, removing all data and downloaded applications. It can be found within the device’s Settings app or triggered via remote wiping. If you really want all traces of the information gone, remember to delete synced data, as well.
Factory reset page on an Android smartphone.
Factory reset page on an Android smartphone.
Image Source: Author.
  • As with other types of data, physical destruction will leave no doubt (and no phone afterwards).

If you’re curious for additional detail regarding the proper disposal of mobile data – including what constitutes “clear,” “purge” and “destroy” for each type of device, take a look at NIST SP 800-88.37