Require Full Disk Encryption For Mobile

Summary

Things to Consider to Help Answer the Question:

Consider the policies that your practice has in place that define the appropriate use and performance specifications for its workstations that have access to or process ePHI. Be sure to include all types of workstations, such as medical devices or diagnostic screening tools.

Possible Threats and Vulnerabilities:

Workforce members, business associates, services providers, and the general public may not be aware of how to use devices appropriately if your practice does not implement policy and procedures that define the expectations.

Some potential impacts include:

- Human threats, such as an unauthorized user or untrained user who can vandalize or compromise the confidentiality, integrity, and availability of ePHI. Unauthorized disclosure, loss, or theft of ePHI can lead to identity theft.

Examples of Safeguards:

Some potential safeguards to use against possible threats/vulnerabilities. NOTE: The safeguards you may choose will depend on the degree of risk (likelihood) and the potential harm that the threat/vulnerability poses to you and the individuals who are the subjects of the ePHI.

Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or electronic device that can access ePHI (such as laptops, printers, copiers, tablets, smart phones, monitors, and other devices).

[45 CFR �164.310(b)]

Develop policies and procedures to enforce access control policies that define the acceptable use of information systems, workstations, and other electronic devices that contain ePHI (such as laptops, printers, copiers, tablets, smart phones, monitors, and other devices).

[NIST SP 800-53 AC-3]

Configuration

In order to be considered compliant, mobile devices must have BitLocker enabled for local or removable disks (excluding floppy disks)