ITS | Administration | Policies & Procedures| WVU Health Sciences Center

Information Technology Services

Administration: Home Directions Org Chart Careers Policies & Procedures	ITS Phone: 304.293.3631Option 3 its@hsc.wvu.edu P.O. Box 9010 Morgantown, WV 26506
	Security Standards For Mobile Devices This policy defines appropriate security measures that must be implemented on Mobile Devices that are used to access the data and resources residing at West Virginia University and its Health Sciences Center (HSC), University Health Associates (UHA), or WVU Physicians of Charleston (WVUPC). The very features that make mobile computing devices (cell phones, USB drives, laptop computers, etc.) useful (portability, access, connectivity, data storage, processing power) also present security risks to HSC/UHA/WVUPC data and technology resources. For example, they can be easily lost, stolen, or misplaced because of their small size. In addition, most Mobile Devices provide weak, if any, authentication mechanisms that can be easily compromised by others or simply disabled by the user. Unauthorized access to confidential information such as passwords or patient information could have significant legal consequences. Thus, it is critical that Mobile Devices be used with the same level of concern as exercised when dealing with other patient and confidential student and business materials. Encryption - If confidential, PHI, educational records protected by FERPA, business asset data, proprietary, or private information is stored on an iPhone/Smartphone/PDA, access controls and encryption must be employed. The end user is responsible for assuring that encryption software/hardware meets or exceeds 128-bit encryption standards or current industry standard for encryption and the end user is responsible for notifying IT Services that the iPhone/Smartphone/PDA will be used for such functions. Additionally, wireless PDA and PDA Phone devices, including iPhone and Smartphone devices, require that the user be familiar with the different network options used by the device and conduct communication containing PHI, educational records protected by FERPA accordingly. All mobile devices with direct connections to the HSC Exchange system will require password, auto-lock after 20 minutes of inactivity, and have remote-wipe capabilities. This Mobile Devices policy applies to all personnel of WVU HSC who use a Mobile Devices including, but not limited to, full/part-time faculty and staff, physicians, medical staff, students, consultants, business associates, and volunteers. All individuals using Mobile Devices for HSC purposes must comply with this policy. Security Standards For Mobile Devices – USAGE Keep Mobile Devices with you at all times or store them in a secured location when not in use. Do not leave your Mobile Devices unattended in public locations (e.g. airport lounges, meeting rooms, restaurants, etc.). Mobile Devices that are used to access HSC data and resources must be password protected. The password should block all access to the device until a valid password is entered. Guidance on creating strong passwords is found on the HSC Information Technology Services Website at http://www.hsc.wvu.edu/its/Administration/PoliciesProcedures/Default.aspx Mobile Device users shall not permit anyone else to use institutionally-owned Mobile Devices for any purpose. Mobile Device users will not install any software onto any institutionally-owned Mobile Device except as required for the applications supported by the Mobile Device. Users of institutionally-owned Mobile Devices will immediately report the loss, theft, or unauthorized use of their Mobile Device to the: IT Help Desk at 304.293.3631 AND Complete and submit the Computer Security Incident Reporting form at http://www.hsc.wvu.edu/its/Administration/PoliciesProcedures/Default.aspx. HSC data classified as confidential, student or patient information must be stored on and accessed from a secure network drive. Storing this type of data on a Mobile Device is strongly discouraged and only done if encrypted, with appropriate security functionality in place, and after HSC ITS has approved the request. HSC data classified as business limited, student data or protected health information must be encrypted when stored on a Mobile Device. I understand that any mobile device connecting to HSC systems, excluding https://exweb.hsc.wvu.edu or https://gwweb.hsc.wvu.edu access, (whether they are University Responsibility Account (URA) or Personal Responsibility Account (PRA) used to access data and resources residing at or belonging to West Virginia University Health Sciences Center must be cleared of such data prior to the employee’s departure from the organization. HSC IT Services must be informed of the employee’s departure and hereby has the authorization / responsibility to remove such data before the device is returned to the department or individual. Removal of this data will involve a backup of the device, the device being wiped clean of all data (business and personal), and a best effort device restore of personal data excluding all email messages previously stored on the device. Security Standards For Mobile Devices – Additional Guidelines for Wireless Devices Wireless access to the Mobile Device should be disabled when not in use to prevent unauthorized wireless access to the device. In general, keep your wireless connection on hidden mode unless you specifically need to be visible to others. Wireless access should be configured to query the user for authentication and confirmation before connecting to HSC wireless networks. Security Standards For Mobile Devices – Additional Guidelines for Laptop Computers and Tablet PCs All laptops must have current anti-virus software installed, as well as all operating system and application mobile device patches. The laptop computer should be clearly marked with property or identification tags and the serial numbers should be recorded by the owner. When storing or working with HSC confidential or PHI data on laptop computers, encryption technology must be used. Security Standards For Mobile Devices – Additional Guidelines for Cell Phones Cellular devices are not considered secure, as they traditionally do not contain options to increase their security. Despite lacking many safeguards, cellular devices today can contain many types of information such as phone numbers and contact information (perhaps contact information that should be kept confidential), email, calendaring functions, photographs, short notes or voice memos, etc. Security Standards For Removal Media It is inappropriate for users to store any PHI or confidential information on removable storage media without prior approval and then only with the appropriate security functionality. Security Standards For Mobile Devices – Additional Guidelines for Alpha Pagers Current WVU HSC / hospital alpha-numeric pagers are not capable of encryption and therefore should never be used to transmit confidential or PHI information. Security Standards For Mobile Devices – Audits Mobile Device users must be mindful that in the course of institutional business use, Mobile Devices may be subject to third party audits, just like any other electronic device.