Use of tablet devices in NHS environments: Good Practice Guideline

Similar documents
Bring Your Own Devices (BYOD) Information Governance Guidance

Bring Your Own Devices (BYOD) Information Governance Guidance

Network Address Translation (NAT) Good Practice Guideline

Proxy Services: Good Practice Guidelines

, Calendar and Messaging Services Good Practice Guideline

BlackBerry 10.3 Work and Personal Corporate

BYOD Guidance: BlackBerry Secure Work Space

Guideline on Safe BYOD Management

BlackBerry 10.3 Work Space Only

Cyber Essentials Scheme

TechnoLabs Software Services Pvt Ltd. Enterprise Mobility - Mobile Device Security

Data Protection Act Bring your own device (BYOD)

Guidance End User Devices Security Guidance: Apple OS X 10.9

Guidance End User Devices Security Guidance: Apple ios 7

End User Devices Security Guidance: Apple ios 8

Auditing the Security and Management of Smart Devices. ISACA Dallas Meeting February 13, 2014

Information Security It s Everyone s Responsibility

Windows Phone 8 devices will be used remotely over 3G, 4G and non-captive Wi-Fi networks to enable a variety of remote working approaches such as

A guide to enterprise mobile device management.

BYOD Guidance: Architectural Approaches

Kaspersky Security for Mobile

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Secure Use of the New NHS Network (N3): Good Practice Guidelines

Mobile Device as a Platform for Assured Identity for the Federal Workforce

How To Protect Your Mobile Devices From Security Threats

BYOD in the Enterprise

BYOD. and Mobile Device Security. Shirley Erp, CISSP CISA November 28, 2012

Addressing NIST and DOD Requirements for Mobile Device Management

Addressing NIST and DOD Requirements for Mobile Device Management (MDM) Essential Capabilities for Secure Mobility.

Tom Schauer TrustCC cell

Junos Pulse for Google Android

Emerging threats for the healthcare industry: The BYOD. By Luca Sambucci

Site to Site Virtual Private Networks (VPNs):

State of South Carolina Policy Guidance and Training

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

{ipad Security} for K-12. Understanding & Mitigating Risk. plantemoran.com

Mobile security and your EMR. Presented by: Shawn Tester & Allen Cornwall

Hands on, field experiences with BYOD. BYOD Seminar

Introduction to Cyber Security / Information Security

SECURING TODAY S MOBILE WORKFORCE

EndUser Protection. Peter Skondro. Sophos

BYOD Guidance: Good Technology

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

End User Devices Security Guidance: Apple OS X 10.10

IBM Endpoint Manager for Mobile Devices

Use Bring-Your-Own-Device Programs Securely

Feature List for Kaspersky Security for Mobile

Norton Mobile Privacy Notice

PCI DSS Requirements - Security Controls and Processes

Mobile First Government

Mobile Protection. Driving Productivity Without Compromising Protection. Brian Duckering. Mobile Trend Marketing

Remote Access and Network Security Statement For Apple

3. Security Security center. Open the Settings app. Tap the Security option. Enable the option Unknown sources.

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

What Is BYOD? Challenges and Opportunities

Ensuring the security of your mobile business intelligence

BYOD: End-to-End Security

Mobility, Security Concerns, and Avoidance

Data Access Request Service

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

When enterprise mobility strategies are discussed, security is usually one of the first topics

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

Securing mobile devices in the business environment

Managing and Securing the Mobile Device Invasion IBM Corporation

Research Information Security Guideline

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Using the Apple Configurator and MaaS3360

How To Secure An Rsa Authentication Agent

Ibrahim Yusuf Presales Engineer at Sophos Smartphones and BYOD: what are the risks and how do you manage them?

Technical Standards for Information Security Measures for the Central Government Computer Systems

Chris Boykin VP of Professional Services

REMOTE WORKING POLICY

BYOD PARTNER QUESTIONS YOU SHOULD ASK BEFORE CHOOSING A. businessresources.t-mobile.com/resources. A Buyer s Guide for Today s IT Decision Maker

74% 96 Action Items. Compliance

Global Partner Management Notice

Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It

Virginia Commonwealth University School of Medicine Information Security Standard

UF IT Risk Assessment Standard

Yes MAM: How Mobile Device Management Plus Mobile Application Management Protects and Addresses BYOD

BEST PRACTICE GUIDE MOBILE DEVICE MANAGEMENT AND MOBILE SECURITY.

How To Protect Your Data From Being Hacked

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Mobile Security BYOD and Consumer Apps

Bring Your Own Device Policy

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS.! Guyton Thorne! Sr. Manager System Engineering!

How to Practice Safely in an era of Cybercrime and Privacy Fears

How to Secure Your Environment

Qualified Integrators and Resellers (QIR) Implementation Statement

Trust Digital Best Practices

Mobile Application Security Sharing Session May 2013

BYOD: Should Convenience Trump Security? Francis Tam, Partner Kevin Villanueva, Senior Manager

External Supplier Control Requirements

ipad in Business Mobile Device Management

Mobile Devices in Healthcare: Managing Risk. June 2012

Guidance on the Use of Portable Storage Devices 1

U 09 Remote Access Policy

Mobile Device Management

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Transcription:

Use of Tablet Devices in NHS environments: Good Practice Guidelines Programme NPFIT Document Record ID Key Sub-Prog / Project Technology Office Prog. Director Chris Wilber Status APPROVED Owner James Wood Version 1.0 Author Dave Brown Version Date 19/12/2011 Use of tablet devices in NHS environments: Good Practice Guideline Crown Copyright 2011

Amendment History: Version Date Amendment History 0.1 22/11/11 Draft for comment 0.2 22/11/11 Draft with amendments following comments 0.3 23/11/11 Draft with amendments following comments 0.4 24/11/11 Draft with amendments following comments 0.5 6/12/11 Draft with amendments following comments 1.0 19/12/11 Final version for distribution Forecast Changes: Anticipated Change When Annual Review 18/12/12 Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Approvals: This document must be approved by the following: Name Signature Title / Responsibility Date Version James Wood Chris Wilber Head of Infrastructure Security. Director of Infrastructure Crown Copyright 2011 Page 2 of 9

Distribution: NHS Connecting for Health Infrastructure Security Team Website http://nww.connectingforhealth.nhs.uk/infrasec/gpg Document Status: This is a controlled document. Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled. Related Documents: These documents will provide additional information. Ref no Doc Reference Number / URL Title Version 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc Latest 2 NPFIT-FNT-TO-IG-GPG-0033 Glossary of Security Terms (http://nww.connectingforhealth.nhs.uk/i nfrasec/gpg) Latest Crown Copyright 2011 Page 3 of 9

Contents Amendment History:... 2 Forecast Changes:... 2 Reviewers:... 2 Approvals... 2 Distribution:... 3 Document Status:... 3 Related Documents:... 3 Background... 5 Purpose... 5 Audience... 5 Content... 5 Disclaimer... 5 Guidance... 6 Sensitive / Patient Data... 6 Physical loss / theft.... 6 Circumvention of built in OS controls... 7 Cloud services... 7 Malware threats... 7 Network Access Controls... 8 Consistent policy / control... 8 Audit logs... 9 Proliferation of devices... 9 Crown Copyright 2011 Page 4 of 9

Background The use of tablets in commercial organisations is increasing and there is pressure for NHS organisations to follow suit. These devices present a number of issues that are not necessarily found in more traditional technology solutions, including the use of personal devices to access sensitive data. Purpose The purpose of this document is to establish vendor and product independent guidelines that will support organisations wishing to enable the use of tablet devices within a health environment and minimise the risks associated with their use. It does not identify specific technical controls or solutions, nor does it endorse particular vendors or products. Audience This document assumes a general understanding of computing related terms. Further information on information security and related matters is available from the NHS Connecting for Health Infrastructure Security Team website: http://nww.connectingforhealth.nhs.uk/infrasec/ Content The document provides guidance on the following areas: Disclaimer Sensitive / Patient Data Physical loss / theft. Ability to circumvent built in OS controls. Cloud services Malware threats Network Access Controls Inconstancy of policy / control Audit logs Proliferation of devices Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Any party relying on or using any information contained in this document and/or relying on or using any system implemented based upon information contained in this document should do so only after performing a risk assessment. It is important to note that a risk 5

assessment is a prerequisite for the design of effective security countermeasures. A correctly completed risk assessment enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. Risk assessments should include the potential impact to live services of implementing changes. This means that changes implemented following this guidance are done so at the implementers risk. Misuse or inappropriate use of this information can only be the responsibility of the implementer. Guidance This Technical Security guidance provides NHS organisations with basic information and direction regarding the risks and issues associated with the use of tablet devices in a health environment. It is not intended to provide detailed implementation guidance or recommend specific technical solutions but to provide high level guidance on the principles that should be adopted when deploying tablet devices in health environments. Sensitive / Patient Data Tablet devices are inherently less secure than traditional IT equipment and not necessarily suitable for use with sensitive / patient identifiable data. Tablet devices should not be used to store sensitive / patient identifiable data. Where devices are used to access data remotely measures should be put in place to ensure that any local temporary copies are properly erased after use. Physical loss / theft. Tablet devices are highly portable by design and thus present an attractive target for thieves. As well as the financial cost, the risk of loss of data may be higher with these devices than other portable solutions due to their desirability, ease of concealment and ease of access to device content once it has been stolen. All tablet devices must have strong encryption enabled by default, together with the use of strong passwords Devices must be configured to allow for remote wiping or wiping after a number of failed password attempts Consideration should be given to the use of built in GPS functionality to track the location of the device. Users should be required to ensure physical security of the device by keeping it at hand at all times, locking it away when not in use, and reporting loss or theft of the device immediately. 6

Circumvention of built in OS controls. The bypassing of manufacturer and security controls that are implemented by default is referred to as Jailbreaking, and is a common activity. There are numerous tools freely available to allow devices to be unlocked and arbitrary software installed or stored data accessed. Where possible installed applications should be capable of operating in their own secure space on the device (known as sandboxing) to ensure that any data remains encrypted in the event of the device being jailbroken or otherwise compromised. Cloud services Many tablet devices offer the ability to automatically back up their contents to Cloud services. Cloud services being enabled by default can result in sensitive data being uploaded to remote servers without the user being aware it has happened or sanctioning it. These servers may be anywhere in the world and may be out of the jurisdiction of the organisation responsible for that data. Unnecessary services should be removed or disabled prior to use and the ability to re-enable or reinstall them restricted or blocked completely. The ability to transfer data from the device to other networks or devices should be restricted to a whitelist of permitted destinations where it is possible to do so. Organisations should be aware that many of these devices rely on access to their related Cloud services to perform backups at all, an alternative means of backing up data on the devices may need to be identified. Malware threats Operating systems on tablet devices and smart phones are still evolving and distribution of updates and patches is not consistent. They are also designed to make it easy for users to obtain and install new applications on demand and as a result are a high profile target for malware. Tablet devices should not be deployed out of the box but should be configured with a standardised OS and firmware version together with current security updates before being placed into production. Personal devices must be configured to the minimum standard specified by the organisation before being permitted to connect to health systems or data. A standard application suite should be developed and wherever possible take advantage of features such as sandboxing and encryption to restrict access to the data on the device. The ability to install additional software should be removed or limited to a whitelist of approved applications. Organisations should consider the use of virtualisation services such as Citrix to ensure that no applications or data are stored on the device itself. Users should be given education and training material regarding the security of tablet devices prior to being issued with them. 7

Automatic updates of OS versions should be disabled and updates applied only once they have been reviewed and tested by technical staff. Network Access Controls By their nature tablet devices are designed to be connected to networks or other devices, either via Wi-Fi, Bluetooth, or Mobile Phone networks. This connectivity presents multiple means by which the device may be compromised. As well as the device user, other parties may have access to the device with or without the users knowledge. This includes mobile network carriers, manufacturers support services and other users on shared wireless networks. Connections to Wi-Fi networks must be made via a secure authenticated connection using VPN to access health data and should be restricted to specific trusted networks. Where possible the ability to connect to Wi-Fi networks or devices other than those specifically identified should be restricted or removed. Unless specifically required corporate devices should not be capable of accessing mobile phone networks in order to reduce the risk of the delivery of malicious content via mobile messaging services and restrict the ability of malware to dial or SMS out without the users knowledge. Unless specifically required corporate devices should not be have Bluetooth enabled in order to prevent disclosure of information such as contact lists or compromise of the device though weaknesses in the Bluetooth software. Devices should be configured to ensure that inbound connection requests are prohibited or permitted only from a whitelist of known and trusted sources. Where available anti-malware software, local or remote, should be implemented. Consistent policy / control Where there is a mix of personal and corporate devices in use then lack of consistent policy or control over tablet devices can result in sensitive data being copied to insecure devices or locations unless users accept the same levels of control over personal devices as are in place for corporate issue items. Where an organisation allows the use of personal devices for business purposes this should be supported by documented agreements with staff and technical security 8

controls to protect information with the aim of ensuring critical and sensitive information handled on personal devices receives the same level of protection as that provided by corporate-owned equipment. Audit logs Tablet devices do not readily support the generation of audit logs for user or system activity or the transmission of those logs to auditing applications. Where there is a requirement to track activity in relation to datasets or applications organisations should consider the use of centralized auditing systems and the means of retrieval of audit data from remote devices. Proliferation of devices While small numbers of devices may be manageable without specific supporting infrastructure or resources larger volumes of devices become increasingly difficult to manage consistently across an organisation. Organisations should consider the implementation of Mobile Device Management (MDM) solutions to provide central management of policy, device profiles, configuration and access controls. 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information