Page 39 - Mobile Data Loss
P. 39

Ensuring Mobile Compliance  33

            credit card data from the Mobile POS App. Knowing this drawback,
            some EMM solutions have added offline operating system compromise
            detections and the ability for a local policy on the device. This allows
            the data to be selectively wiped from the device when it’s in an off-the-
            network state and allows this to be performed more in real-time. PCI
            embraced this by adding it to the Mobile Payment Acceptance
            Security Guidelines in version 1.1.



            HIPAA

            In healthcare, mobile devices offer a more cost-effective solution to
            mobilize healthcare employees within a hospital. These devices are
            typically much cheaper than proprietary traditional mobile devices and
            can be more easily updated through simple app updates over-the-air,
            rather than a full device update through a tethered approach which
            can be cumbersome. Also, mobile devices are being used to improve
            the patient recovery by offering a temporary mobile device to patients
            to use while they’re in the hospital recovering. Even more interesting
            is the fact that in-home healthcare is making a dramatic comeback as
            nurses and physicians are now equipped with mobile devices to provide
            in-home healthcare and the fact that this historic approach to health-
            care is becoming popular again.

               The Health Insurance Portability and Accountability Act (HIPAA)
            outlines Privacy, Security, and Enforcement Rules for health information.
            This encompasses the HITECH Act outlining the rule for Beach
            Notification. 2

               There are many categories that comprise these standards, but the one
            most applicable to securing Patient Health Information (PHI) on mobile
            devices is the 164.312 Technical Safeguards to protect Electronic Patient
            Health Information (ePHI). This includes Confidentiality, Integrity, and
            Availability (CIA) of all ePHI. The CIA security objectives model is
            outlined by NIST.

               The 164.312 Technical Safeguards outline an overall strategy for
            securing patient health information, which can be applied to mobile
            devices. The following Table 4.3 outlines the safeguards.

            2 Federal Register, Friday, January 25, 2013 Department of Health and Human Services Vol. 78,
            No. 17.
   34   35   36   37   38   39   40   41   42   43   44