Guidance on Securing Corporate-Owned Personally Enabled Devices in Healthcare

and transmit patient information. They ensure healthcare professionals are always contactable and can quickly access essential information. While the devices can help healthcare organizations improve efficiency and lower costs, the devices carry unique risks which must be addressed and reduced to a reasonable and acceptable level.

To help healthcare organizations address common vulnerabilities and improve mobile device security, the National Cybersecurity Center of Excellence (NCCoE) has issued the first of two new mobile device security guidance documents. The first release covers corporate-owned personally enabled (COPE) mobile devices and a companion guidance document will be released at a later date on securing personally owned mobile devices used in healthcare Bring Your Own Device (BYOD) schemes.

Poor management of mobile devices can result in vulnerabilities going undetected, which increases the risk of a cyberattack and data breach. The new guidance document – NIST Special Publication 1800-21 Mobile Device Security Corporate-Owned Personally-Enabled (COPE) – has been written to help organizations identify risks, effectively manage vulnerabilities, and improve mobile device security to reduce the risk of a data breach, data loss, malware infection, and unauthorized access to system resources.

The guidance was developed by NIST and technology partners Palo Alto Networks, Qualcomm, MobileIron, Appthority, Kryptowire, and Lookout and covers Android and Apple iOS devices. The guidance includes best practices, the correct approach, architecture, and security characteristics, several how-to-guides, and an example solution that uses commercially available mobile management tools to improve visibility into the mobile devices that connect to the network and their security status.

The draft guidance is available from the NCCoE website and comments are being accepted until September 23, 2019.