Mobile Device Encryption Policy

Version1.0.5 Last Updated2024-01-23 APPROVED

1. Overview

Mobile devices such as smartphones and tablets can create added risk and potential targets for data loss, especially given the sensitive nature of the healthcare documents processed by AccuCode AI. As such, their use must be in alignment with appropriate standards, and encryption technology should be used when possible to protect sensitive data.

2. Purpose

This document describes AccuCode AI’s Information Security requirements for encrypting data at rest on mobile devices to ensure the confidentiality and integrity of sensitive healthcare information.

3. Scope

This policy applies to any mobile device issued by or used for business which contains stored data owned by AccuCode AI Inc.

4. Policy

All mobile devices containing stored data owned by AccuCode AI must use an approved method of encryption to protect data at rest. Mobile devices are defined to include laptops, smartphones, and tablets. Users are expressly forbidden from storing data on devices that are not issued by AccuCode AI, such as storing email or sensitive documents on a personal device.

4.1 Laptops

Laptops must employ full disk encryption with an approved software encryption package that is FIPS 140-3 compliant. BitLocker (for Windows) and FileVault (for macOS) are recommended encryption solutions.

4.2 Smartphones and Tablets

Any data stored on a smartphone or tablet must be saved to an encrypted file system using AccuCode AI-approved software that is FIPS 140-3 compliant. AccuCode AI shall also employ remote wipe technology to remotely disable and delete any data stored on a smartphone or tablet which is reported lost or stolen. Mobile Device Management (MDM) solutions should be used to enforce encryption and remote wipe capabilities.

4.3 Keys

All encryption keys and passphrases must meet complexity requirements described in AccuCode AI’s Password Protection Policy. Keys should be securely stored and managed using a FIPS 140-3 compliant key management system.

4.4 Loss and Theft

The loss or theft of any mobile device containing AccuCode AI data must be reported immediately to the Information Security team.

5. Policy Compliance

5.1 Compliance Measurement

The Information Security team will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to the policy must be approved by the Information Security team in advance.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.