New Mobile Device Security Requirements for Medical Center

As more and more faculty and staff rely on smartphones, tablets, and laptops to keep atop a barrage of work e-mail and professional duties, securing these devices – and the proprietary and protected health information (PHI) they contain – becomes increasingly urgent.

To ensure that sensitive data doesn’t fall into the wrong hands, URMC is beefing up its security policies for department-issued and personal devices. For a preview of the changes, and tips on how you can be ready for them, read on.

Overview: Mobile Device Security Policy Changes

In the months ahead, we’ll begin phasing in the following changes to our security requirements. You’ll be e-mailed with a reminder shortly before the new requirements take effect for your device(s).

(1) Enabling encryption and password protection is mandatory.

In addition to allowing you to set a personal access pin or passcode, most devices used today have the capacity to encrypt – that is, scramble data, like outgoing e-mails, so they’re unintelligible folks trying to “hack” in.

Often, as in the case of some Apple products (iPhones, iPads and iPod Touches), a baseline degree of encryption is turned-on automatically when you activate your passcode (such devices with versions of iOS4 and 5 – like the iPhone 3GS, 4, 4S and 5). Such devices will be permitted to continue connecting to URMC e-mail servers.

For other devices – like Blackberry phones – high-quality encryption for e-mail and text message is baked into University’s Blackberry Enterprise Server. Select Droid phones – like Motorola’s Droid Bionic and Droid X, and Samsung’s Galaxy S3 and Charge – also have sufficient built-in encryption. Others however, like Motorola’s original Droid (released circa 2009), will need to install additional, fairly inexpensive software solutions (like TouchDown or Divide) in order to access URMC mail servers. Older devices lacking encryption capability – including Windows Phone 7, Palm devices, etc. – will not be able to access the URMC email systems under the new policy.

Sufficient Encryption
(Can Access URMC E-mail)
Insufficient Encryption
(Cannot Access URMC E-mail)
iOS devices:

  • iPhone 3GS and newer
  • iPads with iOS 4.x or newer
  • iPod Touch (Fall 2009 models with 32 GB or more; or, 3rd, 4th and 5th generations) with iOS 4.x or newer
iOS devices:

  • iPhone 3G and older
  • iPod Touch (1st or 2nd gen)

  • Motorola Droid Bionic
  • Motorola Droid X
  • Samsung Galaxy S3
  • Samsung Charge

  • Motorola Droid (the original circa 2009): Won’t work unless software, such as Touchdown or Divide, is purchased and installed
Blackberry phones Windows Phone 7, Palm devices

If you’re unsure whether your phone/tablet/laptop is encrypted/encryptable, contact the ISD Help Desk at 275-3200. A representative will happily walk you through the options available for securing your device and retaining access to URMC’s e-mail exchange.

Again, please note that once our new policy takes effect, our “smart” e-mail servers will actively block access to devices that don’t meet minimum thresholds for encryption and password protection. Full details on how you can encrypt and password protect your specific device will be spelled out (in an e-mail) prior to your device being “phased in.”

(2) Setting a “time-out period” is required.

Devices will be required to lock – and prompt users to re-enter passcodes to unlock – after 15 minutes of inactivity. This further reduces the potential for breaches, should you accidentally set down your device or step away while logged in.

(3) Users must agree to have data deleted (“wiped”) if a device is lost or stolen.

To ensure that private data remains private, ISD retains the right to remotely scrub a mobile phone/device of all data – including pictures, text messages, and more – if it’s reported lost or stolen.

We fully appreciate the potential (especially in the case of personally purchased devices) for faculty and staff to commingle personal and professional files. To that end, we strongly encourage you to take precaution, backing up any data that is particularly valuable, so you can retain access to these items in the unfortunate event that your mobile device must be “wiped” clean.

Again, we’ll be reaching out to users, in phases, shortly before the new policy takes effect for their mobile devices. Should you have questions about this new policy, we invite you to call a Help Desk representative at 275-3200.