Page 40 - Mobile Data Loss
P. 40
34 Mobile Data Loss
Table 4.3 HIPAA 164.312 Technical Safeguards
Section Requirement
Access Control 164.312(a)(2)(i)—Unique User Identification
164.312(a)(2)(iii)—Automatic Logoff
164.312(a)(2)(iv)—Encryption and Decryption
164.312(a)(2)(ii)—Emergency Access Procedure (written procedures)
Audit Controls 164.312(b)—Audit Controls
Integrity 164.312(c)(1)—Integrity
164.312(c)(2)—Authenticate ePHI
Authentication 164.312(d)—Person or Entity Authentication
Transmission Security 164.312(e)(1)—Transmission Security
164.312(e)(2)(i)—Integrity Controls
164.312(e)(2)(ii)—Encryption
Mobile is well-equipped to meet these requirements. The ease of
support for certificates, as well as the fundamental application
sandboxing, provides a great strategy for protecting data-at-rest and
data-in-motion.
Containerization is commonly supported on mobile devices today
to allow separation of health data from personal or nonsensitive data.
This containerization provides encryption for data-at-rest including
email and attachments, application data, and content (eg, health
records). Additionally, data-in-motion is secured through an encrypted
tunnel, for example an application tunnel or per-App VPN (iOS) with-
out the need for a VPN.
Certificates can be used for authentication and automatically
pushed down to the device for authenticating email, fileshares, content
access, applications, and secure web access. This inherently provides
integrity of the device connecting as the device can be validated as a
sanctioned device. And closed-loop compliance actions provide an
automated way of quarantining a device that falls out of compliance
by selectively wiping the health data from the device.
CJIS
The Criminal Justice Information Services (CJIS) Security Policy out-
lines minimum security requirements for information protection. It
applies to agencies that access “Federal Bureau of Investigation (FBI)
