Summary the NSW Health Mobile and Smart Device Policy Directive

Policy Directive

Mobile and Smart Device

Summary The NSW Health Mobile and Smart Device Policy Directive defines the principles for allowable usage and features of mobile and smart devices for business use while connected to NSW Health information systems and assets. Document type Policy Directive Document number PD2020_037 Publication date 13 October 2020 Author branch eHealth & ICT Strategy Branch Branch contact (02) 8644 2213 Review date 13 October 2023 Policy manual Not applicable File number H20/70778 Status Active Functional group Clinical/Patient Services - Information and Data Corporate Administration - Information and Data, Security Personnel/Workforce - Security, Workforce planning Applies to Ministry of Health, Public Health Units, Local Health Districts, Board Governed Statutory Health Corporations, Chief Executive Governed Statutory Health Corporations, Specialty Network Governed Statutory Health Corporations, Affiliated Health Organisations, NSW Health Pathology, Public Health System Support Division, Cancer Institute, Government Medical Officers, NSW Ambulance Service, Public Hospitals Distributed to Ministry of Health, Public Health System, Government Medical Officers, NSW Ambulance Service Audience All Staff of NSW Health

Secretary, NSW Health This Policy Directive may be varied, withdrawn or replaced at any time. Compliance with this directive is mandatory for NSW Health and is a condition of subsidy for public health organisations.

MOBILE AND SMART DEVICE

POLICY STATEMENT This Policy Directive defines the principles for allowable usage and features of NSW Health owned and personally owned mobile and smart devices for business use while connected to NSW Health information systems and assets. It establishes a baseline of requirements for all mobile and smart devices. NSW Health Organisations are required to adhere to this baseline on all mobile and smart devices and determine if additional security measures should be established for the needs of their individual data sets. Users of mobile and smart devices for connection to NSW Health information systems and assets includes employees, contractors, service providers, third parties and other persons who have a justified business need to access NSW Health information systems and assets and associated information. SUMMARY OF POLICY REQUIREMENTS All mobile and smart devices accessing and/or containing stored information owned by NSW Health organisations must be managed and administered through a Mobile Device Management (MDM) system. Access to devices must be controlled through policy compliant authentication methods such as password, pin or biometrics in-line with the NSW Health security policies. All mobile and smart devices must auto-lock with data not available from the locked screen. All mobile and smart devices must employ device level encryption to prevent unauthorised access and data loss. All backups of devices must be encrypted to ensure security of health information within the backup. Devices must be configured to not automatically connect to open Wi-Fi networks, as this can expose the device to security risks. Applications installed on devices must be from a trusted source (e.g. google play, apple store), to ensure the application has been validated and properly signed by the developer, which indicates it has been submitted unmodified for installation on the device. Mobile and smart devices must have the ability for the administrator to remotely send a command to a device and delete data (Remote-Wipe).

REVISION HISTORY

Version Approved by Amendment notes October-2020 Secretary, NSW Initial Document (PD2020_037) Health

ATTACHMENTS 1. Mobile and Smart Device: Procedures.

PD2020_037 Issue date: October-2020 Page 1 of 1 NSW HEALTH POLICY

MOBILE AND SMART DEVICE

CONTENTS

1 BACKGROUND ...... 1 1.1 About this document ...... 1 1.2 Key definitions ...... 1 1.3 Legal and legislative framework ...... 2 2 ELIGIBILITY AND PROCUREMENT ...... 2 3 ACCEPTABLE USE ...... 2 4 MOBILE DEVICE MANAGEMENT SYSTEM ...... 2 4.1 Passcodes and complexity ...... 3 4.2 Auto-lock ...... 3 4.3 Number of failed attempts allowed ...... 3 4.4 Applications (Apps) ...... 3 4.5 Remote wipe ...... 3 4.6 Encrypted backups ...... 3 4.7 Minimum device operation system levels ...... 3 4.8 Monitoring ...... 4 5 INFORMATION ON LOCKED SCREENS ...... 4 6 SECURING DATA ...... 4 7 FUNCTIONALITY AND FEATURE MANAGEMENT ...... 4 8 DISPOSAL ...... 4 9 USER RESPONSIBILITIES ...... 5 9.1 General responsibilities ...... 5 9.2 Physical security ...... 5 9.3 Responsibilities specific to personally owned devices ...... 6 10 ENFORCEMENT ...... 6 11 EXCEPTIONS ...... 6 12 REFERENCES ...... 7 12.1 NSW Health policy directives ...... 7 12.2 NSW government policies and directives ...... 7

PD2020_037 Issue date: October-2020 Contents page NSW HEALTH PROCEDURE MOBILE AND SMART DEVICE

1 BACKGROUND

1.1 About this document

This Policy Directive applies to the use of mobile and smart devices for business purposes, regardless of whether or not users are at their normal place of work. It is not applicable to NSW Health data and information that is available on NSW Health public Internet sites. Any person accessing NSW Health information using mobile and smart devices has a responsibility to maintain security of critical and sensitive information, including personal health information. Confidentiality, integrity and availability are the security objectives that must be applied to mobile and smart devices when connecting to NSW Health information systems and assets. These objectives will determine access to and disclosure of information, ensure data is protected against unauthorised alteration or destruction and authorised users are provided with timely and reliable access to information systems and assets. Access to and continued use of network services is granted on the condition that each user follows all policies concerning the use of mobile and smart devices while connected to NSW Health information systems and assets. Users must not store the organisations data and/or information on mobile devices that are not managed or administered by NSW Health Organisations. It is also a legislative requirement to maintain the privacy of records containing personal information and personal health information about employees and members of the public and prevent unlawful access, use and disclosure of such information. NSW Health is committed to the provision of appropriate levels of security across all of its information systems and assets including mobile and smart devices.

1.2 Key definitions

NSW Health Mobile and Smart Device Includes any mobile and smart device that has been purchased by and is owned or leased by NSW Health. Mobile and Smart Device Includes mobile handsets, smartphones and other mobile devices (including Tablet PCs) that have similar functions and access services via Wi-Fi or mobile data networks. Mobile Device Management (MDM) The system that provides software distribution, policy compliance, inventory management, security management and service management for mobile devices. Personally Owned Mobile and Smart Devices Includes any mobile and smart device that is held personally by an individual in a private capacity.

PD2020_037 Issue date: October-2020 Page 1 of 7 NSW HEALTH PROCEDURE MOBILE AND SMART DEVICE

Jail-breaking The process of removing the limitations imposed on devices through the use of hardware/software exploits. Jail breaking allows users to gain root access to the operating system, allowing them to download additional applications, extensions, and themes that are unavailable through the official App Stores.

1.3 Legal and legislative framework

NSW Health Organisations and people who work within the NSW public health system must meet the requirements of the: 1. Workplace Surveillance Act 2005 (NSW); 2. State Records Act 1988 (NSW); 3. Health Records and Information Privacy Act 2002 (NSW); 4. Privacy and Personal Information Protection Act 1998 (NSW); and 5. Government Sector Employment Act 2013 (NSW) Additionally, staff must comply with privacy and confidentiality obligations contained in the NSW Health Code of Conduct.

2 ELIGIBILITY AND PROCUREMENT A NSW Health mobile and smart device will only be issued if there are genuine business needs for the user. Procurement of NSW Health mobile and smart devices and any associated carrier costs must be through the approved procurement / purchasing procedures.

3 ACCEPTABLE USE It is important to ensure that all use of mobile and smart devices complies with the Acceptable Use section of the NSW Health Communications - Use & Management of Misuse of NSW Health Communications Systems (PD2009_076). This includes that no mobile or smart device uses external resources or personal email facilities to conduct business for NSW Health Organisations.

4 MOBILE DEVICE MANAGEMENT SYSTEM All mobile and smart devices that are used to access and/or contain stored information owned by NSW Health Organisations must be enrolled to the Mobile Device Management (MDM) system. The MDM system will enforce security policy and configuration, secure data communication and storage, user and device authentication, enterprise mobile application management, provide audit trail details on data accessing and monitor abnormal activities.

PD2020_037 Issue date: October-2020 Page 2 of 7 NSW HEALTH PROCEDURE MOBILE AND SMART DEVICE

4.1 Passcodes and complexity

A password or passcode must be enabled on mobile and smart devices to unlock the device when not in use, biometric features can be used and enabled as by default. But a backup password or passcode is still required to leverage any biometric features. Simple passwords must be disabled across the NSW Health systems and networks. Users will be prompted to create stronger passwords to protect against the risks of disclosure of sensitive/confidential NSW Health information.

4.2 Auto-lock

The Auto-Lock feature protects the information on the smart device by auto-locking the device after the specified time.

4.3 Number of failed attempts allowed

Mobile and smart devices must be configured to automatically initiate a wipe after a predefined number of failed passcode attempts. After too many unsuccessful attempts, all data and settings on the device will be erased.

4.4 Applications (Apps)

Applications installed on mobile and smart devices must be from a trusted source (e.g. google play, apple store), to ensure the application has been validated and properly signed by the developer. Installing applications from unknown sources is disabled.

4.5 Remote wipe

Remote wipe function enables the mobile and smart device to be wiped of data if the device is lost, stolen or misplaced. This includes any personal or health information stored on the device. NSW Health Organisations take no responsibility for any personal or non NSW Health information data that is stored on these devices that may be lost or deleted.

4.6 Encrypted backups

Backups must be encrypted to ensure that confidential and sensitive information that is backed up is not easily accessible. Backups must be disabled to the vendor’s cloud service.

4.7 Minimum device operation system levels

The minimum operating system level will be defined and checked. Any mobile and smart device not meeting this requirement will not be permitted to access NSW Health Organisations information systems and assets.

PD2020_037 Issue date: October-2020 Page 3 of 7 NSW HEALTH PROCEDURE MOBILE AND SMART DEVICE

4.8 Monitoring

Monitoring the use of, or access to, data provided by NSW Health information systems and assets will be undertaken through the Mobile Device Management system. Global Positioning System (GPS) and location tracking will not be monitored on any mobile and smart device without express permission from the user. In situations where the mobile and smart device may be lost, stolen or misplaced then GPS location tracking may be enabled to assist in the location of the device.

5 INFORMATION ON LOCKED SCREENS When mobile and smart devices are locked, there must be no data shown on the lock screen. This includes (but is not limited to) showing mail previews, showing message previews and notification messages.

6 SECURING DATA NSW Health Organisations reserves the right to refuse network connections for particular mobile and smart devices or software where there is a security or other risk to its data or information resources. NSW Health Organisations owns all information resources, and all data stored transmitted or processed on a mobile or smart device during the course of the NSW Health business or otherwise on NSW Health’s behalf – irrespective of who owns the mobile and smart device. NSW Health Organisations reserve the right to request access to inspect, or delete NSW Health data held on a personally owned mobile and smart device to the extent permitted by law and for legitimate business purposes. Every effort will be made to ensure that NSW Health does not access private information relating to the individual.

7 FUNCTIONALITY AND FEATURE MANAGEMENT The mobile and smart device operating system shall not be modified, unless required or recommended by NSW Health Organisations. The use of devices that are jailbroken, "rooted" or have been subjected to any other method of changing built-in protections is not permitted.

8 DISPOSAL It is important to ensure all unused or ownership change of mobile and smart devices are returned to NSW Health Organisations to ensure that these devices can be removed or re-assigned within the asset register. The remote wipe feature of the Mobile Device Management system will be used to delete corporate data from the device. This will include the erasing of all data on the device and SD card including email, calendar, contacts, photos, music, and user's personal files. In cases where the phone is faulty and data cannot be removed from the device via its feature set or remotely wiped by the Mobile Device Management system, it is necessary

PD2020_037 Issue date: October-2020 Page 4 of 7 NSW HEALTH PROCEDURE MOBILE AND SMART DEVICE

to have the mobile and smart device hardware physically destroyed to ensure all of the NSW Health information and data are disposed of completely.

It is the responsibility of NSW Health Organisations to ensure secure disposal of mobile and smart devices. This also includes the wipe of all corporate and personal information from the phone.

NSW Health Organisations must ensure that the approved destruction of the mobile hardware is updated in the asset register and where third party vendor have been engaged to perform the destruction, that a certificate of destruction is obtained from the vendor and filed within the organisation.

9 USER RESPONSIBILITIES

9.1 General responsibilities

The loss or theft of any mobile and smart device containing information or data owned by NSW Health Organisations must be reported immediately to the State Wide Service Desk or lodge a ticket on SARA. This includes both the organisations and personally owned mobile and smart devices. If not being used, all communication methods must be disabled or turned off. This includes Wi-Fi, Bluetooth and Near Field Communication (NFC). All Bluetooth communications should use a unique pass-code and unsecured Wi-Fi access points should be avoided. Networks in coffee shops and public places are frequently unsecured and are frequent targets of hackers. Access to NSW Health information systems and assets must be exclusively through approved applications.

9.2 Physical security

Mobile and smart device users must comply with physical security requirements when devices are at the user's work location, when working off-site or when travelling. Users must take the following preventative measures to protect NSW Health information systems and assets. Mobile and smart devices must not be left in plain view in an unattended vehicle, even for a short period of time and mobile devices must not be left in a vehicle overnight. A mobile and smart device displaying sensitive information being used in a public place must be positioned so that the screen cannot be viewed by others. The mobile and smart device must be physically secured when it is left unattended outside the immediate work area for any extended period. In vulnerable situations (e.g., public areas), the mobile and smart device must not be left unattended under any circumstance. Mobile devices should be carried as hand luggage when travelling and never checked as baggage.

PD2020_037 Issue date: October-2020 Page 5 of 7 NSW HEALTH PROCEDURE MOBILE AND SMART DEVICE

9.3 Responsibilities specific to personally owned devices

NSW Health Organisations will not provide technical support, advice or consulting services for personal mobile and smart devices except to enable users to access NSW Health information or systems for business purposes. Owners are responsible for the security and protection of their mobile and smart devices and NSW Health information. Health organisations takes no responsibility for any damage to or loss of the mobile and smart device. Operating systems and applications must be kept up-to-date and patched to remove any known security vulnerabilities. All costs associated with the use of a personally owned mobile and smart devices will remain the sole responsibility of the device owner. These include, but are not limited to, voice or data charges, software or application acquisition fees and support or insurance costs. To protect NSW Health information, once approved for access to the NSW Health information systems and assets, personally owned mobile and smart devices cannot be shared with or loaned to any other person at any time including family, friends and other NSW Health staff. The mobile and smart device owner accepts that NSW Health Organisations may remote wipe the device. In these circumstances all data including personal data held on the mobile and smart device will be lost. If a mobile and smart device owner leaves NSW Health employment or if they dispose of the device, the device must have all NSW Health data and configuration removed. NSW Health information will only be stored on the personal mobile and smart device for as long as necessary.

10 ENFORCEMENT Any user found to have violated this policy and associated procedure or any NSW Health’s policies may be subject to disciplinary action.

11 EXCEPTIONS Any exceptions to this policy directive must be appropriately documented and approved. Exemptions will only be granted on the basis of a strong business and/or technical need and must include:  a detailed and balanced assessment of the exception  a timeframe associated with the proposed exception  detailed risks assessment associated with the proposed exception  costs associated with the proposed exception, and  evidence of awareness and approval from senior executives

PD2020_037 Issue date: October-2020 Page 6 of 7 NSW HEALTH PROCEDURE MOBILE AND SMART DEVICE

12 REFERENCES

12.1 NSW Health policy directives

NSW HEALTH POLICY DIRECTIVES PD2013_033 NSW Health Electronic Information Security Policy PD2015_036 NSW Health Privacy Management Plan PD2009_076 NSW Health Communications – Use & Management of Misuse of NSW Health Communication Systems PD2015_049 NSW Health Code of Conduct PD2019_028 NSW Health Goods and Services Procurement Policy PD2015_043 NSW Health Risk Management – Enterprise-Wide Risk Management Policy and Framework

12.2 NSW government policies and directives

NSW GOVERNMENT POLICIES AND DIRECTIVES https://www.digital.nsw.gov.au/policy/cyber- NSW Government Cyber Security Policy security-policy https://www.digital.nsw.gov.au/policy/managing- NSW Government: Information Classification, Labelling data-information/information-classification- and Handling Guidelines handling-and-labeling-guidelines

PD2020_037 Issue date: October-2020 Page 7 of 7 NSW HEALTH PROCEDURE