Use of Tablet Devices in NHS environments: Good Practice Guidelines Programme NPFIT Document Record ID Key Sub-Prog / Project Technology Office Prog. Director Chris Wilber Status APPROVED Owner James Wood Version 1.0 Author Dave Brown Version Date 19/12/2011 Use of tablet devices in NHS environments: Good Practice Guideline Crown Copyright 2011
Amendment History: Version Date Amendment History 0.1 22/11/11 Draft for comment 0.2 22/11/11 Draft with amendments following comments 0.3 23/11/11 Draft with amendments following comments 0.4 24/11/11 Draft with amendments following comments 0.5 6/12/11 Draft with amendments following comments 1.0 19/12/11 Final version for distribution Forecast Changes: Anticipated Change When Annual Review 18/12/12 Reviewers: This document must be reviewed by the following: Name Signature Title / Responsibility Date Version Approvals: This document must be approved by the following: Name Signature Title / Responsibility Date Version James Wood Chris Wilber Head of Infrastructure Security. Director of Infrastructure Crown Copyright 2011 Page 2 of 9
Distribution: NHS Connecting for Health Infrastructure Security Team Website http://nww.connectingforhealth.nhs.uk/infrasec/gpg Document Status: This is a controlled document. Whilst this document may be printed, the electronic version maintained in FileCM is the controlled copy. Any printed copies of the document are not controlled. Related Documents: These documents will provide additional information. Ref no Doc Reference Number / URL Title Version 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc Latest 2 NPFIT-FNT-TO-IG-GPG-0033 Glossary of Security Terms (http://nww.connectingforhealth.nhs.uk/i nfrasec/gpg) Latest Crown Copyright 2011 Page 3 of 9
Contents Amendment History:... 2 Forecast Changes:... 2 Reviewers:... 2 Approvals... 2 Distribution:... 3 Document Status:... 3 Related Documents:... 3 Background... 5 Purpose... 5 Audience... 5 Content... 5 Disclaimer... 5 Guidance... 6 Sensitive / Patient Data... 6 Physical loss / theft.... 6 Circumvention of built in OS controls... 7 Cloud services... 7 Malware threats... 7 Network Access Controls... 8 Consistent policy / control... 8 Audit logs... 9 Proliferation of devices... 9 Crown Copyright 2011 Page 4 of 9
Background The use of tablets in commercial organisations is increasing and there is pressure for NHS organisations to follow suit. These devices present a number of issues that are not necessarily found in more traditional technology solutions, including the use of personal devices to access sensitive data. Purpose The purpose of this document is to establish vendor and product independent guidelines that will support organisations wishing to enable the use of tablet devices within a health environment and minimise the risks associated with their use. It does not identify specific technical controls or solutions, nor does it endorse particular vendors or products. Audience This document assumes a general understanding of computing related terms. Further information on information security and related matters is available from the NHS Connecting for Health Infrastructure Security Team website: http://nww.connectingforhealth.nhs.uk/infrasec/ Content The document provides guidance on the following areas: Disclaimer Sensitive / Patient Data Physical loss / theft. Ability to circumvent built in OS controls. Cloud services Malware threats Network Access Controls Inconstancy of policy / control Audit logs Proliferation of devices Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Any party relying on or using any information contained in this document and/or relying on or using any system implemented based upon information contained in this document should do so only after performing a risk assessment. It is important to note that a risk 5
assessment is a prerequisite for the design of effective security countermeasures. A correctly completed risk assessment enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. Risk assessments should include the potential impact to live services of implementing changes. This means that changes implemented following this guidance are done so at the implementers risk. Misuse or inappropriate use of this information can only be the responsibility of the implementer. Guidance This Technical Security guidance provides NHS organisations with basic information and direction regarding the risks and issues associated with the use of tablet devices in a health environment. It is not intended to provide detailed implementation guidance or recommend specific technical solutions but to provide high level guidance on the principles that should be adopted when deploying tablet devices in health environments. Sensitive / Patient Data Tablet devices are inherently less secure than traditional IT equipment and not necessarily suitable for use with sensitive / patient identifiable data. Tablet devices should not be used to store sensitive / patient identifiable data. Where devices are used to access data remotely measures should be put in place to ensure that any local temporary copies are properly erased after use. Physical loss / theft. Tablet devices are highly portable by design and thus present an attractive target for thieves. As well as the financial cost, the risk of loss of data may be higher with these devices than other portable solutions due to their desirability, ease of concealment and ease of access to device content once it has been stolen. All tablet devices must have strong encryption enabled by default, together with the use of strong passwords Devices must be configured to allow for remote wiping or wiping after a number of failed password attempts Consideration should be given to the use of built in GPS functionality to track the location of the device. Users should be required to ensure physical security of the device by keeping it at hand at all times, locking it away when not in use, and reporting loss or theft of the device immediately. 6
Circumvention of built in OS controls. The bypassing of manufacturer and security controls that are implemented by default is referred to as Jailbreaking, and is a common activity. There are numerous tools freely available to allow devices to be unlocked and arbitrary software installed or stored data accessed. Where possible installed applications should be capable of operating in their own secure space on the device (known as sandboxing) to ensure that any data remains encrypted in the event of the device being jailbroken or otherwise compromised. Cloud services Many tablet devices offer the ability to automatically back up their contents to Cloud services. Cloud services being enabled by default can result in sensitive data being uploaded to remote servers without the user being aware it has happened or sanctioning it. These servers may be anywhere in the world and may be out of the jurisdiction of the organisation responsible for that data. Unnecessary services should be removed or disabled prior to use and the ability to re-enable or reinstall them restricted or blocked completely. The ability to transfer data from the device to other networks or devices should be restricted to a whitelist of permitted destinations where it is possible to do so. Organisations should be aware that many of these devices rely on access to their related Cloud services to perform backups at all, an alternative means of backing up data on the devices may need to be identified. Malware threats Operating systems on tablet devices and smart phones are still evolving and distribution of updates and patches is not consistent. They are also designed to make it easy for users to obtain and install new applications on demand and as a result are a high profile target for malware. Tablet devices should not be deployed out of the box but should be configured with a standardised OS and firmware version together with current security updates before being placed into production. Personal devices must be configured to the minimum standard specified by the organisation before being permitted to connect to health systems or data. A standard application suite should be developed and wherever possible take advantage of features such as sandboxing and encryption to restrict access to the data on the device. The ability to install additional software should be removed or limited to a whitelist of approved applications. Organisations should consider the use of virtualisation services such as Citrix to ensure that no applications or data are stored on the device itself. Users should be given education and training material regarding the security of tablet devices prior to being issued with them. 7
Automatic updates of OS versions should be disabled and updates applied only once they have been reviewed and tested by technical staff. Network Access Controls By their nature tablet devices are designed to be connected to networks or other devices, either via Wi-Fi, Bluetooth, or Mobile Phone networks. This connectivity presents multiple means by which the device may be compromised. As well as the device user, other parties may have access to the device with or without the users knowledge. This includes mobile network carriers, manufacturers support services and other users on shared wireless networks. Connections to Wi-Fi networks must be made via a secure authenticated connection using VPN to access health data and should be restricted to specific trusted networks. Where possible the ability to connect to Wi-Fi networks or devices other than those specifically identified should be restricted or removed. Unless specifically required corporate devices should not be capable of accessing mobile phone networks in order to reduce the risk of the delivery of malicious content via mobile messaging services and restrict the ability of malware to dial or SMS out without the users knowledge. Unless specifically required corporate devices should not be have Bluetooth enabled in order to prevent disclosure of information such as contact lists or compromise of the device though weaknesses in the Bluetooth software. Devices should be configured to ensure that inbound connection requests are prohibited or permitted only from a whitelist of known and trusted sources. Where available anti-malware software, local or remote, should be implemented. Consistent policy / control Where there is a mix of personal and corporate devices in use then lack of consistent policy or control over tablet devices can result in sensitive data being copied to insecure devices or locations unless users accept the same levels of control over personal devices as are in place for corporate issue items. Where an organisation allows the use of personal devices for business purposes this should be supported by documented agreements with staff and technical security 8
controls to protect information with the aim of ensuring critical and sensitive information handled on personal devices receives the same level of protection as that provided by corporate-owned equipment. Audit logs Tablet devices do not readily support the generation of audit logs for user or system activity or the transmission of those logs to auditing applications. Where there is a requirement to track activity in relation to datasets or applications organisations should consider the use of centralized auditing systems and the means of retrieval of audit data from remote devices. Proliferation of devices While small numbers of devices may be manageable without specific supporting infrastructure or resources larger volumes of devices become increasingly difficult to manage consistently across an organisation. Organisations should consider the implementation of Mobile Device Management (MDM) solutions to provide central management of policy, device profiles, configuration and access controls. 9