New Guidance on Mobile Device Security: The New Standard of Care? HIPAA & HITECH Act Blog by Jonathan P. Tomes

The National Cybersecurity Center of Excellence (“NCCoE”), in conjunction with the National Institute of Standards and Technology (“NIST”), has released its final guidance on the mobile device security. As I have discussed in my recent blog posts on the Internet of Medical Things (“IoMT”), mobile health care devices are becoming more and more ubiquitous and go way past cell phones and pacemakers.

Consequently, the risks of loss, theft, or unauthorized access to these many devices have increased greatly as have the civil money penalties (“CMPs”) imposed by the Department of Health and Human Services (“DHHS”) or other penalties by other state and federal agencies and the court system. Further, little doubt exists that compromised mobile devices are the cause of many, if not most, of the CMPs to date, often in the seven-figure range. For example, the University of Texas M.D. Anderson Cancer Center incurred a $4,348,000 CMP for the theft of an unencrypted laptop and the loss of two unencrypted USB thumb drives.

Although HIPAA in terms does not require use of NCCoE guidance, DHHS has cited NIST publications several times, nothing that covered entities and business associates would find good guidance therein. Thus, using this guidance would go a long way towards satisfying the HIPAA risk analysis and risk management standards. DHHS would have a hard time saying that you had committed willful neglect, the highest bracket of CMPs, if you had followed NIST and NCCoE guidance as applicable to your situation.

Even though the guide is not specific to health care organizations only, its guidance is certainly applicable to such entities. It demonstrates how security can be supported throughout the mobile device life cycle. This cycle includes how to configure a device to be trusted by the organization, how to maintain adequate separation between the organization’s data and the employee’s personal data stored on or accessed from the mobile device, and how to handle de-provisioning a mobile device that should no longer have enterprise access, such as if the device is lost or stolen or the employee leaves the company. This guide does the following:

  • Identifies the security characteristics needed to sufficiently reduce the risks from mobile devices storing or accessing sensitive enterprise data.
  • Maps security characteristics to standards and best practices from NIST and other organizations.
  • Describes two detailed example solutions, along with instructions for implementers and security engineers on installing, configuring, and integrating the solutions into existing information technology infrastructures.
  • Selects mobile devices and enterprise mobility management systems that meet the identified security characteristics.
  • Provides example solutions that are suitable for organizations of all sizes and evaluates those solutions.

The guidance is available at

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on our Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Make sure that you include every mobile device security issue in your initial risk analysis or update thereof.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: or Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if DHHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.

On February 27th, 2019, posted in: HIPAA Compliance Blog by Tags: , , , , ,
seo by: k.c. seo