Mobile Device Management

To meet the mobile device management requirement in HICP Practice 2.8, you must deploy an MDM solution that enforces security policies on any mobile device that can access PHI, including the ability to manage configurations and remotely wipe devices. Operationally, that means defining your PHI-access device scope, enrolling devices, enforcing baseline controls, and retaining proof that policies are actively applied. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Key takeaways:

• MDM scope is “any mobile device accessing PHI,” not just corporate-owned phones. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Auditors look for enforced settings and logs, not policy PDFs. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Remote wipe and configuration enforcement must be real capabilities you can demonstrate on demand. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Mobile device management (MDM) becomes a compliance requirement the moment phones or tablets touch PHI, whether through email, EHR apps, secure messaging, virtual desktop, browser access, or synced files. HICP Practice 2.8 is blunt: deploy MDM to enforce security policies on mobile devices accessing PHI. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

For a CCO or GRC lead, the fastest path is to treat MDM as an access control and evidence problem, not a tooling debate. First, decide what “accessing PHI” means in your environment and which device populations qualify (corporate-owned, BYOD, contractor devices, clinician personal phones, tablets used for rounding, and any shared devices). Next, pick the minimum policy set you will enforce through MDM and align it to PHI workflows (authentication, encryption, screen lock, OS patch posture, app controls, and remote wipe). Then operationalize: enrollment gates, conditional access, break-glass exceptions, and routine reporting that proves enforcement.

If you already have Microsoft Intune, Jamf, VMware Workspace ONE, or a similar platform, you may be closer than you think. The compliance gap usually sits in scope, exceptions, and evidence retention.

Regulatory text

Requirement (HICP Practice 2.8): “Deploy mobile device management (MDM) solutions to enforce security policies on mobile devices accessing PHI.” (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Operator interpretation: You need an MDM (or equivalent endpoint management capability for mobile) that can (a) apply security configurations, (b) enforce those configurations, and (c) support remote wipe for devices that access organizational resources or PHI. “Deploy” means it is in production for the in-scope device population, not just purchased or piloted. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Plain-English interpretation (what this means in practice)

If a phone/tablet can view, transmit, store, or cache PHI, you must manage it with MDM and enforce baseline security controls from a central console. That typically includes:

• Requiring a secure lock screen and strong authentication
• Enforcing encryption where supported
• Controlling OS versions/patch posture
• Separating organizational data from personal data where feasible (especially for BYOD)
• Enabling remote wipe (device wipe and/or selective wipe of organizational data) (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

The compliance intent is straightforward: prevent lost/stolen devices, unmanaged apps, and misconfigurations from becoming PHI incidents.

Who it applies to

Entity types: Healthcare organizations and health IT vendors. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Operational context (scope triggers):

• Clinicians or staff use mobile devices for EHR access, secure chat, clinical photos, patient engagement, on-call workflows, or MFA/SSO approvals that are coupled to PHI systems.
• Executives or billing staff access PHI through email, attachments, portals, or remote desktop from mobile devices.
• Third parties (contractors, temporary workforce, service providers) use mobile devices to access your PHI environment.
• Shared tablets/kiosks are deployed in clinical areas.

Scope rule that holds up in audits: if the device can access PHI, it is in scope for MDM controls. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

What you actually need to do (step-by-step)

Step 1: Define “mobile device” and “accessing PHI” for your environment

Write a short scoping statement you can defend:

• Device types: iOS/iPadOS, Android, rugged clinical devices, tablets, and any mobile OS used to access PHI.
• Access paths: native apps, browser portals, email, VDI, file sync, and API-connected apps.
• Data modes: view-only, download, offline cache, screenshots, attachments, local storage.

Deliverable: MDM scope statement that ties directly to PHI access paths. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Step 2: Choose the MDM control model by device ownership

Create a simple decision matrix:

• Corporate-owned: full MDM enrollment; highest enforcement.
• BYOD: personal device enrollment with privacy-aware controls (containerization, app protection, selective wipe).
• Shared clinical devices: supervised mode (where applicable), restricted app set, strong session controls.

You are aiming for enforceability plus acceptable clinical operations. HICP does not prescribe a specific product or model; it requires MDM enforcement and remote wipe capability. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Step 3: Establish the minimum enforced policy set (the “MDM baseline”)

Define baseline controls as enforced settings (not “users must…”). Common baseline categories:

• Authentication & lock: passcode strength, biometric allowance rules, max inactivity lock, max failed attempts behavior
• Encryption: require device encryption where supported by OS management APIs
• OS posture: minimum OS version, block jailbroken/rooted devices
• Network controls: Wi‑Fi profiles, VPN profiles as needed for PHI workflows
• App controls: allowlist clinical apps, block risky apps where feasible, manage app installation sources
• Data protection: prevent unmanaged backups, enforce managed apps for PHI email/attachments where applicable
• Remote wipe: device wipe for corporate-owned; selective wipe for BYOD and offboarding (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Document what is enforced, what is monitored, and what is not technically possible on certain device classes.

Step 4: Implement enrollment gating and conditional access

MDM is easy to bypass unless you connect it to access control:

• Require device compliance (enrolled + meets baseline) before allowing access to PHI systems.
• Block access for unknown devices.
• Define exception handling for emergency access and document it.

If your identity platform supports conditional access, connect “device compliance” to PHI application access decisions. The goal: an unmanaged phone cannot access PHI. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Step 5: Operationalize lifecycle processes (joiner/mover/leaver)

MDM must stay accurate as people and devices change:

• Provisioning: enrollment steps, supervised mode for corporate devices, app deployment
• Changes: role changes, new clinical apps, device replacements
• Offboarding: selective wipe, revoke tokens/sessions, remove profiles, confirm completion
• Loss/theft: remote wipe execution criteria, documentation, and incident workflow alignment (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Tie these steps to HR and ITSM tickets so you can prove consistent handling.

Step 6: Monitor, report, and prove enforcement

Set up routine outputs that show control effectiveness:

• Compliance dashboards (enrolled vs. not, compliant vs. noncompliant)
• Exceptions list (who, why, for how long, compensating controls)
• Remote wipe logs and test evidence
• Configuration profiles and assignment groups
• Alerts for jailbreak/root, disabled encryption, or outdated OS (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Step 7: Vendor/third-party alignment where mobile access is outsourced

If a third party provides an app or managed service that enables mobile PHI access, contractually require that mobile endpoints are managed under an MDM/app protection approach consistent with your policy. Keep it simple: “No PHI access from unmanaged mobile devices.”

If you run third-party due diligence in Daydream, treat “mobile PHI access” as a scoping question that drives required evidence: MDM enforcement, remote wipe capability, and access gating design. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Required evidence and artifacts to retain

Auditors and assessors typically want proof that MDM is deployed, enforced, and scoped to PHI access. Maintain:

• MDM policy/standard stating scope (“devices accessing PHI must be enrolled and compliant”) (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• System configuration evidence: screenshots/exports of compliance policies, configuration profiles, and assignment groups
• Device inventory: enrolled device list with ownership type (corporate/BYOD/shared) and compliance status
• Conditional access/access control rules tying PHI app access to device compliance (if used)
• Remote wipe evidence: procedure + logs from actual events, plus a periodic functional test record
• Exception register: approved exceptions, business justification, expiration, and compensating controls
• Offboarding tickets: showing wipe/revocation actions completed for mobile access users
• Training/communications sent to staff about enrollment and acceptable use for PHI mobile access

Common exam/audit questions and hangups

Expect these questions:

• “Show me which mobile devices can access PHI and prove they’re under MDM.” (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• “How do you block access from unmanaged mobile devices?”
• “Demonstrate remote wipe and show an example from a real case.”
• “How do you handle BYOD privacy and selective wipe?”
• “Who can approve exceptions, and how do you ensure exceptions expire?”
• “What happens when a device is lost, stolen, or when an employee leaves?”

Hangups that slow exams:

• Inventory mismatch between identity logs and MDM console
• Informal BYOD workflows (“we tell them to set a passcode”)
• No evidence that settings are enforced rather than recommended

Frequent implementation mistakes (and how to avoid them)

1. Mistake: scoping only corporate devices.
   Fix: scope by PHI access, then pick the right control model per ownership type. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

2. Mistake: relying on policy language instead of enforced controls.
   Fix: translate each requirement into an MDM setting and keep an exported “policy-to-setting mapping.”

3. Mistake: exceptions without expiry.
   Fix: require an end date and compensating controls (e.g., restrict app access, VDI-only, limited network paths).

4. Mistake: remote wipe exists but nobody can execute it quickly.
   Fix: define on-call authorization, document steps, and maintain evidence from test runs and real incidents. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

5. Mistake: shared tablets treated like personal devices.
   Fix: supervised/shared device mode, locked-down app sets, and session controls suited to clinical workflows.

Enforcement context and risk implications

No public enforcement cases were provided in the source material for this requirement, so treat HICP Practice 2.8 primarily as a defensible “reasonable security” expectation for healthcare environments. The risk is practical: mobile endpoints are frequently lost, shared, or unmanaged, and they are a common path to unauthorized PHI exposure. HICP’s requirement focuses your program on prevention (enforced configuration), response (remote wipe), and proof (demonstrable deployment). (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and minimum enforcement)

• Confirm which apps/systems allow mobile PHI access.
• Produce the PHI mobile access scope statement and get sign-off from Security, Compliance, and Clinical Ops. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Decide ownership models (corporate/BYOD/shared) and define allowed access patterns for each.
• Configure the initial MDM baseline (lock, encryption where supported, jailbreak/root detection, remote wipe enabled). (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Start building the evidence pack (exports/screenshots, inventory, policy draft).

Days 31–60 (enforce access gating and lifecycle processes)

• Roll out enrollment for in-scope users and device fleets, starting with highest-risk roles.
• Implement conditional access or equivalent gating to block unmanaged devices from PHI systems.
• Stand up joiner/mover/leaver workflows with ITSM tickets and wipe/revocation steps.
• Create the exception register and approval workflow.

Days 61–90 (operational rigor and audit readiness)

• Run a remote wipe tabletop plus a functional test; capture evidence. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)
• Establish routine reporting for compliance status and exceptions; review with leadership.
• Validate that identity logs, MDM inventory, and PHI app access lists reconcile.
• If third parties access PHI via mobile, push requirements into contracts and due diligence workflows (Daydream can centralize evidence requests and exception tracking).

Frequently Asked Questions

Do we need MDM for BYOD phones if staff only “view” PHI in a browser?

If the device can access PHI, it is in scope for enforced security policies under HICP Practice 2.8. Use a BYOD model with app protection and selective wipe where feasible, and block access from unmanaged devices. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Is “remote wipe capability” mandatory or just recommended?

HICP’s summary for this practice includes remote wipe as a core expectation of MDM for devices accessing organizational resources or PHI. You should be able to demonstrate remote wipe execution and retain logs as evidence. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

What’s the minimum evidence an auditor will accept?

Keep proof of deployment and enforcement: MDM policy configuration exports, enrolled/compliant device inventory, and remote wipe logs or test evidence. Add your exception register to explain any gaps. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

How do we handle shared iPads on clinical floors?

Treat them as high-risk endpoints: supervised/shared configuration, restricted apps, enforced lock settings, and a defined process to wipe and re-enroll when devices change hands or are repurposed. The key is enforceable policy through MDM. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

Can we meet the requirement with “app-only” management instead of full device enrollment?

HICP requires MDM solutions that enforce security policies on mobile devices accessing PHI. If your approach enforces required controls and supports remote wipe of organizational data for in-scope access, document how it meets the intent and where device-level controls are not technically possible. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)

How should we manage third parties who access our PHI from mobile devices?

Contractually require that any mobile device used to access your PHI is managed under an MDM/app protection approach and is subject to remote wipe for organizational data. In Daydream, make “mobile PHI access” a scoping question that triggers required evidence and exception handling. (HICP 2023 - 405(d) Health Industry Cybersecurity Practices)