Mobile devices and/or media are any devices/media that are easy to carry around and store or transmit data electronically including, but not limited to: laptops; iPhones, Android phones, BlackBerries and other smart phones; iPads and other tablets; USB drives; external hard drives; digital cameras; SD cards and other flash media; voice recording devices; PDAs; and CD/DVDs.
Yes if there is a compelling patient care, business or academic need. However whenever possible, you should store RI on a network file share or remove RI from files before storing to mobile devices. Contact your IT support group for more information on using network file shares. The UCLA-owned device must be encrypted. Contact your IT support group for help with encrypting your device.
AES 128-bit or better encryption must be used for encryption of Restricted Information on mobile devices or removable media. Complex passwords or passphrases should be used. Please contact your IT support group for help with encryption.
When viewing RI on your mobile device, be sure that it is not visible to others. Keep careful track of your mobile devices and removable media and do not allow unauthorized access to the devices/media. Don’t leave laptops or bags containing laptops, USB drives or paper PHI unattended. We’ve heard of devices and documents going missing from planes, trains, cars, airports, cafeterias, bus stops, offices and homes.
You can contact your IT Support group to arrange for secure disposal. Confidential information may remain on hard drives in computers, laptops and multifunction printers as well as on smart phones and other electronic drives after they are retired. Do NOT throw them out or recycle them, or you risk exposure of PHI or other confidential information.
If your mobile device or removable media is lost or stolen, or you have any reason to believe the UCLA RI on your mobile device or removable media may have been compromised, you must immediately notify your Department Administrator and the Office of Compliance Services - Privacy and Information Security (PrivacyInfoSec@mednet.ucla.edu).
No, UCLA RI may not be stored on most personally owned devices. This restriction does not apply to receiving email on your cell phone or smart phone as long as a passcode is set and the passcode is not shared. Additionally, if the device can support encryption, encryption must be enabled.
Whenever possible, store UCLA RI on a network file share or remove RI from files before storing to mobile devices. Please contact your IT support group if you need help with access to a network file share.
When viewing RI on your mobile device, be sure that it is not visible to others.
Keep careful track of your mobile devices and removable media and do not allow unauthorized access to the smart phone.
Don’t leave your smart phone unattended. We’ve heard of devices going missing from planes, trains, cars, airports, cafeterias, bus stops, offices and homes.
If your personally owned smart phone is lost or stolen and it contains UCLA RI stored in email, or if you have any reason to believe that the UCLA RI on your smart phone has been compromised, you must immediately notify your Department Administrator and the Privacy and Information Security Offices (PrivacyInfoSec@mednet.ucla.edu).
No. The only allowed method for accessing emails that contain UCLA RI from personally owned devices is using the Mednet or JSEI web mail sites. You may not use Outlook, Apple Mail, ActiveSync, POP or IMAP on personally owned devices to read/send emails that contain UCLA RI unless you have demonstrated a compelling patient care, academic or business need and you have been granted an exception to the general policy.
Yes. However, please remember that many applications create temporary copies of files on the host computer that may not always be deleted after the application closes and should be manually cleaned up on a periodic basis.
No. Full face pictures or any pictures or clinical images that contain patient identifiers may not be stored on a personally owned device unless you have demonstrated a compelling patient care, academic or business need and you have been granted an exception to the general policy.
Yes, all UCLA-owned laptops in the UCLA Health System and DGSOM, whether purchased through a Department, an academic book fund or via a grant, must be encrypted. UCLA Restricted Information should not be stored on personally-owned devices such as laptops unless an exception has been granted for you to do so. For more information over laptop encryption, please see the Device Security FAQs.
You can mouse over the fat yellow lock icon (usually found at the bottom of your screen) to check that your laptop is encrypted. Check Point encryption should be installed on all MITS-supported laptops. It uses the standard Windows login screens so it may not be obvious that encryption is installed.
PGP Whole Drive Encryption should be installed on all other UCLA-owned laptops. On boot up, the PGP BootGuard login screen will come up, so it is easy to tell when PGP laptop encryption is used.
Learn about how to set a passcode for your Apple devices here: http://support.apple.com/kb/HT4113. Remember that only the settings of requiring passcode “After 15 minutes” or less of inactivity are compliant with policy. Disabling simple passcode will allow you to set a longer passcode with numbers, mixed upper and lower case letters, and special characters.
You can set auto-lock which will turns off the display after a preset period of inactivity. Set this at Settings -> General -> Auto-Lock. You can specify the amount of time the screen must be locked before requiring a passcode (should be 15 minutes or less). Set this at Settings -> General -> Passcode Lock
Remote wipe allows you to securely delete files on your lost or stolen phone or tablet by sending a wipe command to the device.
Apple users can set up Find My iPhone by selecting Settings > iCloud > Find My iPhone and moving the slider to On. You will need an Apple ID and iCloud account. (Remember, UCLA information should never be stored in iCloud.)
Encryption should be supported for Android OS 3.0 (Honeycomb) and later.
To encrypt your Android phone, touch the Settings icon from a Home or All Apps screen, then go to Personal > Security > Encryption > Encrypt phone. Select Encrypt phone, then enter your lock screen PIN or password and touch Continue. Select Encrypt phone again and the encryption process will start.
To encrypt your Android tablet, go to Settings > Personal > Security > Encryption > Encrypt table. Select Encrypt tablet, then enter your lock screen PIN or password and touch Continue. Select Encrypt tablet again and the encryption process will start.
On your device go to Settings > Location & Security Settings > “choose your locking option” (menu items may vary slightly depending on model). Remember that only the settings of requiring passcode “After 15 minutes” or less of inactivity are compliant with policy. Set your screen timeout on your device by going to Settings > Display > “choose your screen timeout option”.
Remote wipe allows you to securely delete files on your lost or stolen phone or tablet by sending a wipe command to the device. For Android devices, you can download Mobile Defense for free or Where’s My Droid for $3.99. Both of these apps have a remote wipe feature. If you use ActiveSync for your MedNet email, you can wipe your device with Outlook Web Access by following these instructions. (Here’s how to register with ActiveSync.)
Yes, if you store any Restricted Information on the device it must be encrypted. If you are unsure whether or not your external device needs to be encrypted, contact your IT Support group or the Office of Compliance Services – Information Security, InfoSecAll@mednet.ucla.edu.
The Office of Compliance Services – Information Security suggests purchasing a hardware-encrypted USB and external hard drives as they are already automatically encrypted and easy to use. They are also
Faster than software-encrypted devices
Driver installation is not required
Likely to meet the HIPAA requirement that encryption be AES 128 or better
If you have purchased non-encrypted USBs or external hard drives, contact your IT Support group for encryption options.