Policy Directive Mobile and Smart Device Summary The NSW Health Mobile and Smart Device Policy Directive defines the principles for allowable usage and features of mobile and smart devices for business use while connected to NSW Health information systems and assets. Document type Policy Directive Document number PD2020_037 Publication date 13 October 2020 Author branch eHealth & ICT Strategy Branch Branch contact (02) 8644 2213 Review date 13 October 2023 Policy manual Not applicable File number H20/70778 Status Active Functional group Clinical/Patient Services - Information and Data Corporate Administration - Information and Data, Security Personnel/Workforce - Security, Workforce planning Applies to Ministry of Health, Public Health Units, Local Health Districts, Board Governed Statutory Health Corporations, Chief Executive Governed Statutory Health Corporations, Specialty Network Governed Statutory Health Corporations, Affiliated Health Organisations, NSW Health Pathology, Public Health System Support Division, Cancer Institute, Government Medical Officers, NSW Ambulance Service, Public Hospitals Distributed to Ministry of Health, Public Health System, Government Medical Officers, NSW Ambulance Service Audience All Staff of NSW Health Secretary, NSW Health This Policy Directive may be varied, withdrawn or replaced at any time. Compliance with this directive is mandatory for NSW Health and is a condition of subsidy for public health organisations. MOBILE AND SMART DEVICE POLICY STATEMENT This Policy Directive defines the principles for allowable usage and features of NSW Health owned and personally owned mobile and smart devices for business use while connected to NSW Health information systems and assets. It establishes a baseline of requirements for all mobile and smart devices. NSW Health Organisations are required to adhere to this baseline on all mobile and smart devices and determine if additional security measures should be established for the needs of their individual data sets. Users of mobile and smart devices for connection to NSW Health information systems and assets includes employees, contractors, service providers, third parties and other persons who have a justified business need to access NSW Health information systems and assets and associated information. SUMMARY OF POLICY REQUIREMENTS All mobile and smart devices accessing and/or containing stored information owned by NSW Health organisations must be managed and administered through a Mobile Device Management (MDM) system. Access to devices must be controlled through policy compliant authentication methods such as password, pin or biometrics in-line with the NSW Health security policies. All mobile and smart devices must auto-lock with data not available from the locked screen. All mobile and smart devices must employ device level encryption to prevent unauthorised access and data loss. All backups of devices must be encrypted to ensure security of health information within the backup. Devices must be configured to not automatically connect to open Wi-Fi networks, as this can expose the device to security risks. Applications installed on devices must be from a trusted source (e.g. google play, apple store), to ensure the application has been validated and properly signed by the developer, which indicates it has been submitted unmodified for installation on the device. Mobile and smart devices must have the ability for the administrator to remotely send a command to a device and delete data (Remote-Wipe). REVISION HISTORY Version Approved by Amendment notes October-2020 Secretary, NSW Initial Document (PD2020_037) Health ATTACHMENTS 1. Mobile and Smart Device: Procedures. PD2020_037 Issue date: October-2020 Page 1 of 1 NSW HEALTH POLICY MOBILE AND SMART DEVICE CONTENTS 1 BACKGROUND ........................................................................................................................ 1 1.1 About this document ......................................................................................................... 1 1.2 Key definitions ................................................................................................................... 1 1.3 Legal and legislative framework ....................................................................................... 2 2 ELIGIBILITY AND PROCUREMENT ....................................................................................... 2 3 ACCEPTABLE USE ................................................................................................................. 2 4 MOBILE DEVICE MANAGEMENT SYSTEM .......................................................................... 2 4.1 Passcodes and complexity ............................................................................................... 3 4.2 Auto-lock ........................................................................................................................... 3 4.3 Number of failed attempts allowed ................................................................................... 3 4.4 Applications (Apps) ........................................................................................................... 3 4.5 Remote wipe ..................................................................................................................... 3 4.6 Encrypted backups ........................................................................................................... 3 4.7 Minimum device operation system levels ......................................................................... 3 4.8 Monitoring ......................................................................................................................... 4 5 INFORMATION ON LOCKED SCREENS ............................................................................... 4 6 SECURING DATA .................................................................................................................... 4 7 FUNCTIONALITY AND FEATURE MANAGEMENT .............................................................. 4 8 DISPOSAL ................................................................................................................................ 4 9 USER RESPONSIBILITIES ..................................................................................................... 5 9.1 General responsibilities .................................................................................................... 5 9.2 Physical security ............................................................................................................... 5 9.3 Responsibilities specific to personally owned devices ..................................................... 6 10 ENFORCEMENT ...................................................................................................................... 6 11 EXCEPTIONS ........................................................................................................................... 6 12 REFERENCES .......................................................................................................................... 7 12.1 NSW Health policy directives ........................................................................................... 7 12.2 NSW government policies and directives ......................................................................... 7 PD2020_037 Issue date: October-2020 Contents page NSW HEALTH PROCEDURE MOBILE AND SMART DEVICE 1 BACKGROUND 1.1 About this document This Policy Directive applies to the use of mobile and smart devices for business purposes, regardless of whether or not users are at their normal place of work. It is not applicable to NSW Health data and information that is available on NSW Health public Internet sites. Any person accessing NSW Health information using mobile and smart devices has a responsibility to maintain security of critical and sensitive information, including personal health information. Confidentiality, integrity and availability are the security objectives that must be applied to mobile and smart devices when connecting to NSW Health information systems and assets. These objectives will determine access to and disclosure of information, ensure data is protected against unauthorised alteration or destruction and authorised users are provided with timely and reliable access to information systems and assets. Access to and continued use of network services is granted on the condition that each user follows all policies concerning the use of mobile and smart devices while connected to NSW Health information systems and assets. Users must not store the organisations data and/or information on mobile devices that are not managed or administered by NSW Health Organisations. It is also a legislative requirement to maintain the privacy of records containing personal information and personal health information about employees and members of the public and prevent unlawful access, use and disclosure of such information. NSW Health is committed to the provision of appropriate levels of security across all of its information systems and assets including mobile and smart devices. 1.2 Key definitions NSW Health Mobile and Smart Device Includes any mobile and smart device that has been purchased by and is owned or leased by NSW Health. Mobile and Smart Device Includes mobile handsets, smartphones and other mobile devices (including Tablet PCs) that have similar functions and access services via Wi-Fi or mobile data networks. Mobile Device Management
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages10 Page
-
File Size-