HC3 Checklist Helps Healthcare Sector Ensure Mobile Device Security

March 24, 2023 - The Health Sector Cybersecurity Coordination Center (HC3) released a mobile device security checklist, containing important considerations for using mobile devices in a healthcare setting.

“Mobile devices are prevalent in the health sector, and due to their storage and processing of private health information (PHI) as well as other sensitive data, these devices can be a critical part of healthcare operations,” HC3 explained.

“As such, their data and functionality must be protected. This document represents a basic checklist of recommended items for health sector mobile devices to maintain security, including data in motion and at rest, as well as the capabilities of the device itself.”

The simple checklist may serve as a refresher for healthcare organizations that manage mobile devices. HC3 stressed the importance of multi-factor authentication (MFA), end-to-end encryption, and regular device and application updates.

In addition, the checklist urges organizations to consider physical security, configuration management, data backups, and cloud storage.

“Data redundancy should be in practice for all sensitive information. HHS recommends the 3-2-1 rule for any healthcare organization as a data backup strategy,” HC3 noted.

“This applies to the most sensitive healthcare data, and requires that at least three copies of the data are maintained, stored on two different mediums, with at least one copy stored offline.”

HC3 also encouraged limiting connectivity and leveraging VPNs, reducing the number of applications deployed to each device to shrink the attack surface, and implementing endpoint security software and configuration management processes.

This checklist is the latest piece of guidance added to the ever-growing library of free security resources available to healthcare organizations and other critical infrastructure entities. For example, the Cybersecurity and Infrastructure Security Agency (CISA) recently launched its Ransomware Vulnerability Warning Pilot (RVWP), aimed at helping critical infrastructure entities proactively contain vulnerabilities.

Through the RVWP, CISA will leverage its internal resources to identify vulnerable systems and notify system owners by phone or email, allowing them to get ahead of the latest cyber threats.

“Notifications will contain key information regarding the vulnerable system, such as the manufacturer and model of the device, the IP address in use, how CISA detected the vulnerability, and guidance on how the vulnerability should be mitigated,” CISA stated.

In other news, CISA also recently launched its Untitled Goose Tool, which was created to help network defenders identify malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments.

There is no shortage of free resources available to healthcare organizations looking to level-up their threat detection capabilities and improve their security postures. However, as mentioned during a recent hearing Senate Homeland and Governmental Affairs Committee hearing focused on healthcare cybersecurity, many healthcare organizations do not have enough resources available to dedicate to security.

In front of the Senate panel, experts championed additional government support to help healthcare organizations manage security risks.