Mobile Device Security and Storage Media Management

2025.04.16

ClearHealth recognizes that media containing sensitive data may be reused when appropriate steps are taken to ensure that all stored sensitive data has been effectively rendered inaccessible. Destruction/disposal of sensitive data shall be carried out in accordance with federal and state law. The schedule for destruction/disposal shall be suspended for sensitive data involved in any open investigation, audit, or litigation.

ClearHealth utilizes enterprise level SAN devices provided by Rackspace to store production data. All data and repositories utilized by ClearHealth and ClearHealth customers are encrypted.

Policy Statements

ClearHealth policy requires that:

(a) All media, including mobile and removable media, storing ClearHealth company data must be encrypted if allowed by exception.

(b) Critical data as defined in ClearHealth’s data classification model §data-management may not be stored on mobile devices or removable media, such as USB flash drives.

(c) All destruction/disposal of sensitive data storage media will be done in accordance with federal and state laws and regulations and pursuant to the ClearHealth’s written retention policy/schedule.

• Records that have satisfied the period of retention will be destroyed/disposed of in an appropriate manner.
• Records involved in any open investigation, audit or litigation should not be destroyed/disposed of.

(d) All sensitive data must be rendered inaccessible in a forensically sound manner prior to media reuse or disposal.

(e) Mobile devices, including laptops, smartphones and tables, used in support of critical business operations shall be fully managed and/or audited by ClearHealth IT and Security.

(f) Prohibits the changing of password/PIN lengths and authentication requirements for reading e-mail, composing documents, or surfing the Internet.

​​​(g) ClearHealth Protects physical media housing covered and/or confidential information from unauthorized disclosure or modification while in transit by the appropriate application of at least one of the following: use of locked containers; delivery by hand; tamper-evident packaging (which reveals any attempt to gain access); or splitting of the consignment into more than one delivery and dispatch by different routes.

​​(h) Optum manages portable, removable storage devices are sanitized prior to connecting such devices to the information system under the following circumstances:

• initial use after purchase;
• when obtained from an unknown source;
• when the organization loses a positive chain of custody; and
• when the device was connected to a lower assurance system based on its security categorization (e.g., a publicly accessible kiosk).

​(i) If removable media is required by ClearHealth, Optum manages the

• Configuration of  systems to allow only specific USB devices (based on serial number or other unique property) to be accessed
• Automatically configures devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected (e.g., through the use of third-party software).

​​​(j) When individuals are accessing sensitive information (e.g., covered information, cardholder data) from a remote location, then the

• copying
• moving
• Printing
• using print screen to capture
• storage of

this information onto local hard drives and removable electronic media is prohibited, unless explicitly authorized for a defined business need.