Mobile Device Security
Connected mobile devices, including smartphones, tablets, and laptops, have become a ubiquitous presence in every-day life that offers always-on connectivity, no matter the location. In fact, 95 percent of Americans now own a cell phone of some kind, with 77 percent owning a smartphone – up from 35 percent just eight years ago.[1]
When such devices are used to store and transmit sensitive data, the added convenience carries with it a significant risk. At a University where such stored data may include information on thousands of students, patients, payment transactions and proprietary research, that risk can be enormous, as the risk of lost or compromised data is compounded by the financial loss stemming from fines and fees, as well as damage to the University’s reputation.
For a case in point, a Texas-based academic medical center was recently fined more than $4.3 million in Health Insurance Portability and Accountability Act (HIPAA) violation penalties. The fines were a result of three data breach incidents that involved the theft of a single unencrypted laptop and two unencrypted USB drives from an employee’s residence. Combined, these devices contained the protected health information of more than 33,500 individuals.[2]
The Risks
Here at the University of Kentucky, data is classified into three categories[3]:
- Confidential Data – High-risk data that requires protection by law. Examples include patient health data subject to HIPAA, or student records subject to the Family Educational Rights and Privacy Act.
- Private Data – Moderate-risk data that requires protection by contractual obligation. Examples include non-confidential research data or data covered by non-disclosure agreements.
- Public Data – Low-risk data that needs protection at the discretion of the data owner. Examples include departmental websites, campus maps, or directory data.
It is imperative for data classified as confidential or private to be adequately safeguarded to meet regulatory and contractual requirements. Failure to mitigate the risks associated with mobile devices may result in a substantial financial and reputational loss for the University.
12 Tips for Securing Your Mobile Data
By employing some relatively simple security precautions, individuals and units can help to minimize the risks associated with sensitive data stored on mobile devices.
- Minimize your mobile data footprint – One of the easiest ways to secure data on mobile devices is to simply remove it from the device. Take an inventory of the sensitive data you store on smart devices and determine if it is necessary to have that data on the go, or is saving it creating unnecessary risk?
- Be mindful of physical security – One laptop is stolen every 53 seconds, and more than 70 million smartphones are lost each year.[4] Do not leave mobile devices unattended, especially in public areas or while traveling. When not in use, store your device in a locked, secure area.
- Avoid the use of untrusted, potentially unsecured wireless networks – UK has several secure options, depending on your location:
- UK’s campus - use the secure eduroam wireless network.
- UK HealthCare areas - use the ukhc-guest, gobigblue, or ukhc-clinical networks, depending on device type and ownership (contact the UK Healthcare Information Technology (IT) Service Desk for more details and configuration assistance).
- Off-campus - If you must use an untrusted network, configure your device to use UK’s VPN service to ensure that network communications are secured.
- Encrypt your device – Encryption is one of the best methods of keeping sensitive data out of the wrong hands. In the event of device loss or theft, mobile device encryption – or lack thereof – may mean the difference between a relatively minor incident and a high-profile data breach leading to potentially devastating losses. IT units should ensure that required encryption standards are met for UK-owned devices. UK faculty and staff with personal mobile devices storing sensitive data should ensure that encryption is enabled on the device. Encryption technologies vary by device and manufacturer:
- Apple iOS (iPhones, iPads): Encryption is activated when a passcode is set.
- Android devices: Encryption is available, though it may not be enabled by default. Encryption options are available under the Security settings menu.
- Windows computers: BitLocker encryption is available, though not enabled by default.
- Apple (Mac) computers: FileVault encryption is available, though not enabled by default.
- Use a strong password – Ensure that devices require a password to be unlocked. Passwords should be strong and difficult to guess. The most robust encryption may be rendered useless by a weak, easily-guessed password.
- Configure your device to receive automatic security updates – Many emerging security threats rely on unpatched vulnerabilities to spread quickly. Device and application updates should be downloaded and installed frequently.
- Keep track of your device’s location – Enable your device’s location service features, such as Find My iPhone (for iPhones) or Find My Device (for Android devices). In the event of a loss, such features may allow you to locate or remotely wipe the device.
- Install only trusted applications – Avoid untrusted applications that may access or transmit sensitive information on your device. If in doubt about an application, contact your IT support personnel before installing.
- Be familiar with your unit’s security policy and procedures – IT support units should establish Information Security and “Bring Your Own Device” policies and ensure that they are regularly communicated to faculty and staff.
- Register your device with AirWatch (MC users only) – Faculty and staff on the Medical Center (“MC”) domain should install AirWatch, a mobile security suite implemented for enhanced security and compliance with HIPAA and other regulatory requirements. AirWatch ensures that certain security-related features, such as encryption and password protection, are enabled. For more details and installation instructions, visit https://spwww.ukhc.org/airwatch/SitePages/Home.aspx or contact the UK Healthcare IT Service Desk.
- Dispose of devices securely – Never sell, give away, dispose of, or otherwise transfer ownership of your device until it has been entirely and securely wiped to remove all data.
- Report security breaches immediately – UK Administrative Regulation 10:8 and UK HealthCare Policy #A13-010 require that users be diligent in their protection of data and response to security threats. Known or suspected breaches – including mobile devices that may have been lost, stolen, or otherwise compromised – must be reported immediately through either the IT Security & Policy Office at cybersecurity@uky.edu
or ITS User Services at 218help@uky.edu or 859-218-4357. Losses or breaches in UK HealthCare areas must also be reported to the Chief Privacy Officer in the Office of Corporate Compliance at 859-323-1184. Swift reporting is critical.
There is no question that mobile devices enhance our productivity and quality of life. By taking a proactive approach and implementing sound policies and procedures to safeguard mobile data, device owners and IT units can significantly reduce the risk associated with the loss or compromise of sensitive data as we take our work “on the go.”
For more information about mobile device security, or to schedule an IT consultation to review practices for handling mobile devices and sensitive information in your unit, please contact UKIA at 859-257-3126.
If you would like to receive news and information about current risks, fraud concerns and more, please subscribe to UKIA’s listserv by sending an e-mail to LISTSERV@lsv.uky.edu with the following text in the message body: subscribe INTERNALAUDIT-L.
Additional Resources:
- https://www.uky.edu/its/sites/www.uky.edu.its/files/UK%20Best%20Practices%20for%20Data%20Protection.pdf
- https://www.uky.edu/its/sites/www.uky.edu.its/files/5steps-ITSlogo.pdf
- https://www.uky.edu/its/sites/www.uky.edu.its/files/ISS-6-3%20Smart%20Phone%20and%20Mobile%20Storage%20Device%20Standard.pdf
- https://www.uky.edu/its/sites/www.uky.edu.its/files/ISPO-1-0%20Information%20Security%20Policy.pdf
- https://www.uky.edu/its/sites/www.uky.edu.its/files/Best%20Practices%20in%20Securing%20Sensitive%20Personal%20Information.pdf
- https://www.uky.edu/its/sites/www.uky.edu.its/files/ISPO-9-0%20Security%20Breach%20Notification%20Policy.pdf
[1] https://www.pewinternet.org/fact-sheet/mobile/
[2] https://www.hhs.gov/about/news/2018/06/18/judge-rules-in-favor-of-ocr-and-requires-texas-cancer-center-to-pay-4.3-million-in-penalties-for-hipaa-violations.html
[3] https://www.uky.edu/its/policies/data-classification
[4] https://www.forbes.com/sites/steveolenski/2017/12/08/is-the-data-on-your-business-digital-devices-safe/#397fb7994c6a