Many government regulations address mobile device use, directly or indirectly, whether the device is government-issued or personally owned. For example, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule is designed to protect an individual's electronic protected health information (ePHI) that is "created, received, used, or maintained by a covered entity." Because mobile devices can store data on the device, any ePHI exchanged when using the device is at risk of unauthorized disclosure. Using a mobile device connected to a public or otherwise unsecure Wi-Fi connection also poses a risk to ePHI because those connections are easily sniffed.
The same principles apply to personally identifiable information, or PII. The Department of Defense (DoD) states that mobile and wireless devices may not be used "in lieu of established 'wired' telephones" and must be used only for official business and authorized use. The DoD Privacy Program requires DoD contractors involved in the "design, development, operation, or maintenance of any system of records" to adhere to specific rules of conduct that protects PII on its systems, which includes mobile devices. The Federal Information Security Modernization Act (FISMA) of 2014 considers mobile devices that receive federal email to be "connected," and the Department of Labor states "It is the responsibility of the individual user to protect data to which they have access."
The risks that threaten compliance
Unlocked and unprotected devices, as well as human behavior, present dire risks to compliance. Mobile device and behavior-based risks cover a lot of ground. A jailbroken or rooted device, a device without an anti-malware app and firewall installed, and a device with sideloaded apps (those installed from unsecure sources) render the device non-compliant. Disabling password protection, connecting to open Wi-Fi networks, and saving files to personal cloud storage are actions prohibited by most security policies. Many government CIOs have accepted the reality that employees use personally owned devices at work. BYOD policies spell out acceptable usage to reduce the risk to ePHI, PII and other sensitive information, and to help protect the security of government systems.
However, the hair-raising State of Federal BYOD report by mobile security company Lookout in 2015 revealed that 40 percent of government employees whose agencies limit or prohibit the use of personal devices for work ignore those policies. Moreover, of the 1,000+ federal employees surveyed, 58 percent said they were aware of cybersecurity risks or consequences of using personal devices for work, yet 85 percent said they use the devices anyway.
Protection techniques and mechanisms
Technical solutions, like device authentication, enforcing user passwords, virtual private networking, encrypting data stored on a device, quarantining non-compliant devices, and implementing a sound mobile device management solution are key to protecting sensitive information. However, strong security and compliance policies and employee security training are equally important to tackle the issue of human nature.
Unless other sources are required, agencies should look to the following documents for guidance:
- NIST Special Publication 800-114, Revision 1, User’s Guide to Telework and Bring Your Own Device (BYOD) Security
- NIST Special Publication 800-124, Rev. 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise
- NIST Cybersecurity Practice Guide, Special Publication 1800-1, "Securing Electronic Health Records on Mobile Devices"
Learn more about protecting your mobile devices