Wednesday, February 6, 2013

Healthcare Industry BYOD and Mobile Security

A recent story appeared in Becker's Hospital Review on Mobile's Impact on Hospital IT Security in 2013: How Your Institution Can Adapt to BYOD. In the article, written by Bill Ho, President of Biscom, he talks about both the barrage of new regulatory requirements, but also the widespread adoption of mobile technology.

In the article Mr. Ho cites a recent survey by Aruba Networks. According to the survey, 85 percent of facilities support their physicians' and staffs use of personal devices at work. By supporting this use, hospital employees and clinicians can:

  • check their personal email accounts
  • their work email
  • review electronic medical records
  • check drug interaction information
  • use mobile secure file transfer apps to view lab results or radiology images
  • provide signature approval on a treatment decision
  • make practitioners more accessible and connected

These changes to technology in the healthcare industry and its mobility, leave IT departments with two questions to address.
  1. How can we best integrate personal devices while still maintaining our existing security policies.
  2. How do we support healthcare professionals who bring their own device into various medical settings while still maintaining the security and confidentiality of personal health information.
I have spent much of my professional career seeking and creating solutions determining how best to solve the protection of both personal and corporate data. I have worked through the years with many hospitals and other types of medical facilities with how to protect data in their systems subject to the Health Insurance Portability and Accountability Act (HIPPA). With the increased number of devices, systems and applications seeking access to personal medical data, IT staff will be seeking to create security policies that address:
  • Rogue applications installed by the clinician or other staff that could potentially access Personal Health Information (PHI) because their devices are now tied to the facilities network.
  • Addressing the dual-use (personal, work) nature of mobile devices and tendency particularly for personal devices to eschew levels of security in favor of ease of use, simplicity and quick access.
  • Shutting off access to synchronization type apps like Dropbox until there's a way to manage them with centralized control, granular permissioning and integration  with established authentication services.
Mr. Ho goes on to provide 10 points healthcare IT departments should consider as they develop their BYOD (Bring Your Own Device) policies and meeting HIPPA and PHI security requirements.

1. Review your current security policies for web applications (CRM, email, portals), VPN and remote access. Most, if not all of these will apply to mobile devices as well.

2. Determine which devices you are willing to support — not all devices meet the security requirements of your healthcare organization, nor do you want to have to test all possible platforms. Also, physically inspect each device and make sure it hasn't been jailbroken or rooted.

3. Set expectations clearly. IT may have to radically change physicians' mindsets. Yes, security adds additional layers to wade through, but what amazing challenges would a security breach cause?

4. Write clear and concise policies for all employees who want to use their personal devices. Have anyone participating in BYOD sign your terms of use. Those who choose not to follow your policies should not expect to use their device.

5. Make a personal identification number, or other client authentication, mandatory. This hampers ease of use, but is the first line of defense against a lost device.

6. Enforce encryption of data at rest; any apps that download and store data on the device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.

7. With hundreds of thousands of apps available, which will you permit? Are there any specific applications or class of applications you want to keep off the device? This can be hard to do, but malware and rogue apps can do serious damage without users realizing it.

8. Provide training to physicians and hospital staff to make sure they understand how to correctly use their applications, make the most of their mobile capabilities and watch for suspicious activity. Once you've embraced BYOD, promote it.

9. As mobile devices become conduits for information to flow, look for apps that include auditability, reporting and centralized management. Many current apps will not have this feature, but those that do will make it easier to trace back any potential breaches.

10. Consider mobile device management software that can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability. Note that some MDM providers require applications to be re-written specifically to support their platform, so you may find some of your applications will not run in the MDM solution you pick.

As a way of expanding on Mr. Ho's 10th point. I would encourage you that rather than investing in multiple different apps all created by unknown parties, that you strongly identify the benefits you most need in your enterprise mobile apps and utilize a platform and development team like http://www.snappii.com where you can either design your apps yourself, or we can work with your IT department to help you ensure the proper data is available for the specific apps that need it, but also ensure is designed to complement your existing IT security protocols.

If you have more questions on enterprise mobile app development for use in a medical environment as part of BYOD policies, while continuing to maintain, HIPPA and PHI compliance, don't hesitate to send me an email.

Alex




No comments:

Post a Comment