Vous êtes sur la page 1sur 12

k s e a r c h h e alth IT.

com
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Mobile Devices
Up the Security Ante
in Health Care
Mobile devices such as tablet PCs are making their way into
hospitals and are increasingly being used for clinical applications.
Their use brings both advantages and challenges, especially when
it comes to ensuring the security of sensitive patient data.

10010100101000101010101001100
10010100010101001001010110100


D Mobile 10101010100110010010100010010
10101011110101101001010010100

Security 01010101010011001001010010101
01010111101011010010100101000

Trends in
10101010100110010010101001010
01010001010101010011001001010
00101010010010101101001010101
health care Supporting
01001100100101000100101010101
D
11101011010010100101000101010
settings Wireless Devices
10100110010010100101010101011
11010110100101001010001010101
010011001001010 1001010010100
01010101010011001001010001010
10010010101101001010101010011

DMeeting
00100101000100101010101111010
11010010100101000101010101001
10010010100101010101011110101

Technical 10100101001010001010101010011
00100101010010100101000101010
Requirements 10100110010010100100010010100
10101010011001001010010101010

for Mobile 10111101011010010100101000101


01001001010110100101010101001

Deployments
10010010100010010101010111101
01101001010010100010101010100
11001001010010101010101111010
11010010100101001100100101011
k e ditors le tte r
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Supporting New
Device Explosion in
Editors Letter
Health Care Markets
By Jean DerGurahian
Mobile
Security
Trends ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Supporting
Wireless
Devices

Meeting no it department wants the respon- IT managers to take the risk, they
Technical sibility of securing and maintaining are developing strategies to sup-
Requirements
for Mobile devices that fall outside its control, port personal devices on health care
Deployments yet for many in health care, thats networks. Bring your own device
exactly whats happening these days. (BYOD) policies have emerged as
The massive growth of the personal a collection of practices that help
mobile device market has forced ensure patient information protected
health IT managers to consider how by the Health Insurance Portability
best to bring on physicians iPhones, and Accountability (HIPAA) law is
iPads, and Android and BlackBerry secure as it flows through any mobile
devices, among others. Why? device on the network.
Because medical practitioners have What are IT managers finding out
seen the potential uses for improving works best? Read through these sug-
care delivery by using their devices, gestions and tips from our experts to
and they are demanding more appli- discover the practices that are work-
cations and opportunities for tech- ing for the health care industry. n
nology.
With that in mind, security of per- Jean DerGurahian
sonal devices cannot be ignored. editorial director
While there is still reluctance among SearchHealthIT.com

2 Mobile Devices Up the Security Ante in Health Care


k chapte r 1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Mobile Security
Trends in Health
Editors Letter
Care Settings
Bring Your Own Device policies are becoming popular
Mobile
Security in health care settings with employees bringing their own devices
Trends
to work and expecting to use work related applications on them.
Supporting
This raises a number of security issues. by nari Kannan
Wireless
Devices
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Meeting
Technical
Requirements
for Mobile
Deployments
according to a new report by Man- like HIPAA also heighten anxiety
hattan Research, fully two-thirds of about storage and use of personal
physicians in the US will be using medical information.
Apple iPads for professional pur- Health care workers have been
poses by 2013. A similar study in clamoring for some time to bring
Europe showed that about 26% of in their own mobiles and tablet
physicians owned and used an Apple computers into work expecting to
iPad. Health care workers are using access work related applications on
mobiles and tablet computers for them. Consequently, health care IT
various purposes like looking up drug has been setting up bring your own
interactions, other medical reference device (BYOD) policies considering
material, and in some cases, elec- the variety of device preferences of
tronic medical records of patients. the workers. This way they can exer-
That brings to the forefront, the cise some level of control over secu-
issue of security of transmission, rity and privacy of health care data.
and storageeven if temporaryof Current trends in mobile security
personal health information on these promises a number of different ways
mobile devices. Privacy mandates in which security and privacy of

3 Mobile Devices Up the Security Ante in Health Care


k Mo b ile Se cu rity Trends in Heal t h Care Set t ings
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

health data can be addressed effec- ty policies to different types of users


tively. Some of these are: and enforce them diligently.

n Desktop as a Service usage on n Encrypted data transmission. Vir-


mobiles: Recently Dell rolled out its tualized desktop environments may
Desktop as a Service (DaaS) offer- already have 128-bit, built-in encryp-
ing. On mobiles and tablets, this tion of any communication, including
allows desktop environments to run data to and from mobiles and tablet
Editors Letter virtually and access applications in computers. If native apps are devel-
their native forms (like a Windows oped for mobiles, they may need to
Mobile
Security
desktop or a Macintosh). This is as do this when they communicate with
Trends if a virtual desktop resides inside the servers.
mobile device. The biggest security
Supporting win in this approach is that no addi- n Remote wipes and auto-locks.
Wireless
Devices tional security is needed. If the owner Native apps on mobiles invariably
of the mobile device is no longer with use local storage, even if for tempo-
Meeting the company, this access is disabled. rary download of health care data.
Technical All applications and data reside in Mobile device storage may need to
Requirements
for Mobile internal servers and no data is pres- be remotely wiped clean when the
Deployments ent locally on the mobile. Compa- device is switched off. When mobile
nies can adopt BYOD policies easily devices are lost, misplaced or stolen,
since the applications are not on the the same remote wipe capability
mobile devices and so, a larger vari- may be needed.
ety of devices can be supported eas- Most mobile devices support auto-
ily. locking the device remotely, if lost,
misplaced, or stolen. When located
n Access control lists. Access Con- again, they also require long pass
trol Listsalso known as Role Based codes to reactivate providing one
Loginscontrol which users, using more security feature. There are
which mobiles can access an applica- commercial mobile device manage-
tion. They can in addition, have finer ment software packages that can
control over what data within that register devices and do these remote
application, they can access wipes when warranted.
and what they can do with it (Read
Only, Read/Write, Read/Write/ nMobile ID authentication mecha-
Delete, etc). nisms. Additional authentication
Fine grained control using ACLs mechanisms may need to be imple-
allow IT departments to tailor securi- mented with something like real

4 Mobile Devices Up the Security Ante in Health Care


k Mo b ile Se cu rity Trends in Heal t h Care Set t ings
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

mobile device identification (unique n Signal range control. By making


ID of a smart phone or a tablet) and a the wireless signal to the mobiles
company assigned machine ID that is reachable only within the premises of
assigned to say, a clinician. Only with the health care setting like a hospital
both these IDs, the mobile device will or a clinic, or only at home through
be allowed to access the network. VPN, security and privacy can be
This is an additional security precau- enforced with where applications
tion to authenticate physical mobile are accessed from. This may not
Editors Letter devices. work very well if employees need to
travel on business but for health care
Mobile applications that dont involve travel,
Desktops and lap-
Security
Trends this will work well.

Supporting
tops may hog a net- Increasing use of mobile devices
Wireless works bandwidth in health care settings brings with
if they share the
Devices
it a number of security problems.
Meeting
Technical
same network Depending upon how the applica-
tions are accessed, through a virtual
Requirements
for Mobile
with mobiles and desktop or as native applications,
Deployments tablet computers. those problems will vary. However,
trends in mobile security promise
many methods to address security
n Isolated special subnets for issues.
mobiles. Mobile devices like smart By matching the needs of a particu-
phones and tablet computers may lar health care setting to these tools
need isolated special subnets, meant and techniques, security and privacy
only for them. By having a separate can be effectively ensured. There are
subnet, mobile device usage can be a number of commercially available
logged for audit and unauthorized mobile management software solu-
access detected. tions that can help health care IT
Subnets also incidentally, can set up and administer these policies
ensure better bandwidth Quality of well. n
Service (QoS) for mobile devices.
Desktops and laptops may hog a net- Nari Kannan is the chief executive officer of
works bandwidth if they share the appsparq Inc., a Louisville, Ky.-based mobile appli-
cations consulting company. Kannan has more than
same network with mobiles and tab 20 years of experience in information technology.
let computers. He can be reached at nari@appsparq.com.

5 Mobile Devices Up the Security Ante in Health Care


k chapte r 2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Supporting
Wireless Devices
Bring your own device security and management policies
Editors Letter
are essential in health care organizations, where employees
increasingly are using their own smartphones and tablets
Mobile in the course of their workflow. By brien Posey
Security
Trends
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Supporting
Wireless
Devices

Meeting
Technical in IT at the
one of the big trends Standard Workstation Security. This
Requirements
for Mobile moment is bring your own device requirement states that organizations
Deployments (BYOD). Today users expect to be must implement physical safeguards
able to access corporate data not for all workstations that access elec-
just from their desktops, but also tronic protected health information
from consumer electronic devices (PHI) to restrict access to authorized
such as tablets and smart phones. users.
While providing wireless device Another important requirement
users access to corporate data, main- that must be addressed is 164.310(D)
taining compliance with the Health (1) Device and Media Control. This
Insurance Portability and Account- requirement states that organiza-
ability Act (HIPAA) can be a bit more tions are required to implement poli-
challenging. cies and procedures that govern the
HIPAA does not differentiate receipt and removal of hardware and
between computing devices. Any electronic media that contain elec-
device that a user uses to access tronic protected health information
network resources is defined as a PHI into and out of a facility, and the
workstation, whether it is a desktop, movement of these items within the
tablet, smartphone, etc. Therefore, facility.
one of the first provisions that must To paraphrase these requirements:
be taken into account is 164.310(C) Any computing device that is used

6 Mobile Devices Up the Security Ante in Health Care


k Suppo rting Wire le ss Devices
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

to access electronic health records Any computing device


must be configured securely, and if a
computing device stores EHRs then that is used to access
its whereabouts must be tracked. electronic health
records must be
Mobile Device Usage
configured securely,
Obviously the previously stated and if a computing
Editors Letter requirements present some major device stores EHRs
challenges when it comes to BYOD.
Mobile After all, the organization does not
then its whereabouts
Security
Trends own an end users personal mobile must be tracked.
device and has no control over its
Supporting configuration. So it must be assumed
Wireless
Devices that the device is inherently insecure. health information. In other words,
Likewise, because the device you can get around the requirement
Meeting is owned by the end user and is for device tracking by not storing any
Technical designed for mobility, it is unlikely electronic protected health informa-
Requirements
for Mobile that the organization will be able tion directly on mobile devices
Deployments to continuously track the devices which you really shouldnt be doing
whereabouts in accordance with any way.
HIPAA. One of the easiest ways to accom-
HIPAA imposes some strict plish this is to treat mobile devices as
requirements for workstations, and it remote desktop clients. Rather than
might at first seem as though these installing any software or storing any
requirements would prevent the data directly on the mobile device,
use of mobile devices. With careful the mobile device instead establishes
planning however, it is possible to a remote desktop protocol (RDP)
allow users to access data from their session with a computer on your
mobile devices while still maintaining network. That way, all of the elec-
HIPAA compliance. tronic protected health information
At first glance, it seems as if the remains on a system which has been
biggest barrier to mobile device adequately secured and proven to be
usage is the requirement to track the HIPAA compliant.
whereabouts of such devices. How- This technique works particularly
ever, the requirement clearly states well if your organization uses vir-
that tracking is only necessary if the tual desktop infrastructure (VDI).
device contains electronic protected In a VDI environment, users can

7 Mobile Devices Up the Security Ante in Health Care


k Suppo rting Wire le ss Devices
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

access their regular desktops directly In the interest of


through mobile devices.
security, users
should be required
Securing Mobile Devices
The other major requirement that
to manually enter
must be addressed is device security. their full credential
HIPAA requires various safeguards set each time that
for any device that accesses elec-
they connect to
Editors Letter
tronic patient data, including dis-
Mobile
Security
posal, backup, encryption and other the organizations
Trends policies. Because the mobile devices
belong to the end users, you cannot
computers.
Supporting assume anything about the devices
Wireless
Devices overall security. vate network (VPN) specifically for
There are two main things that can your wireless network as a way of
Meeting be done to address HIPAA security guaranteeing that all wireless traffic
Technical requirements. First, make sure that is encrypted (beyond the hardware
Requirements
for Mobile users who are connecting mobile level encryption provided by Wi-Fi)
Deployments devices to your systems are not and authenticated.
using single sign on. In the interest Allowing users to access health
of security, users should be required care systems through their personal
to manually enter their full credential wireless devices, while still main-
set each time that they connect to taining HIPAA compliance, is a tall
the organizations computers. order. Even so, it is not impossible.
Another thing that you should do Implementing a secure connective
is take measures to encrypt the infrastructure and avoiding device
users session. There are several level data storage can go a long way
ways in which this can be accom- toward making mobile device access
plished. The easiest method is prob- feasible. n
ably to force mobile device users
to attach to your network through
Brien Posey is a freelance technical writer who has
a VPN. received Microsofts MVP award six times for his
If your organization has a wire- work with Exchange Server, Windows Server, Inter-
less network, that network should net Information Services and File Systems storage.
Posey is a former CIO for a national chain of hospi-
be treated as an insecure medium. tals and health care companies. Write to him at edi-
This means setting up a virtual pri- tor@searchhealthit.com.

8 Mobile Devices Up the Security Ante in Health Care


k chapte r 3
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Meeting Technical
Requirements for
Editors Letter
Mobile Deployments
In recent years, mobile devices have gained mainstream acceptance.
Mobile
Security Almost everyone has a smartphone, and tablets are all the rage.
Trends
Its only natural that the industry has begun to see rapid adoption
Supporting
of mobile devices in health care settings. By Brien posey
Wireless
Devices
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Meeting
Technical
Requirements
for Mobile
Deployments
like pcs, mobile devices used in health interacts with your existing network
care facilities must be deployed in a infrastructure.
responsible manner in order to avoid From a support perspective, it is
accidentally introducing security vul- better to keep the mobile devices
nerabilities or putting the organiza- as uniform as you can. Of course,
tion in a state that is not compliant manufacturers routinely discontinue
with federal regulations. As such, mobile device models and release
deploying devices to support mobile newer models, so it is unrealistic to
health care services requires careful expect to be able to keep your mobile
planning. device selection completely uniform.
As an IT professional, one of your
primary responsibilities is designing
a mobile health care strategy, begin- Mobile Device Support
ning with the mobile devices you Infrastructure
want to allow to be used within the Because health care is a heavily regu-
organization. Device selection should lated industry, you must ensure that
be based on your ability to secure the your mobile health care strategy is
devices, and on how well the device aligned with your corporate security

9 Mobile Devices Up the Security Ante in Health Care


k Me e ting Te chnical Requir ements f or Mobil e Depl oyment s
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

policy. This can be a big challenge However, you will have to base your
when it comes to mobile devices. mobile device management tech-
Your existing group policy settings niques on the makes and models of
will not apply to mobile devices devices that you have chosen to sup-
because, in an Active Directory envi- port.
ronment, group policies only apply At the present time, there is no real
to domain members. Although there industry-wide standard for managing
are exceptions, mobile devices usu- devices specific to mobile health care
Editors Letter ally cannot be joined to a Windows implementations. As such, you will
domain. have to search for a mobile device
Mobile
Security
In order to be a domain member, management solution that works
Trends a machine must be running either with your existing network infrastruc-
a desktop (Windows 7) or a server ture and with the mobile devices that
Supporting (Windows Server 2008) version of you have chosen to allow on your
Wireless
Devices Windows. Mobile operating sys- network.
tems do not meet this requirement
Meeting and therefore cannot be joined to a
Technical domain. As such, group policies do Using System Center
Requirements
for Mobile not apply to mobile devices. Mobile Device Manager
Deployments Some versions of Windows Mobile The primary security mechanisms
have a mechanism that allows the used in an Active Directory environ-
device to be enrolled in a domain. ment are group policy settings. If you
The enrollment process allows the are used to managing Windows envi-
device to participate in the domain ronments, then you will be happy to
on a limited basis without actually know that Microsoft offers a product
being a domain member. However, called System Center Mobile Device
even if a device has been enrolled, Manager, which will actually let you
it still cannot use the same group manage devices for mobile health
policy settings as a full-blown desk- care users through group policy set-
top or server operating system, since tings. In addition to enforcing secu-
because those settings were never rity on such devices, the software can
designed to be used with mobile also be used for initial device pro-
devices. visioning, and for deploying mobile
Even though existing group policy applications.
settings will not apply to mobile Although System Center Mobile
devices, there are other ways to Device Manager works really well,
manage the mobile devices that are it does have two major limitations.
used in your health care organization. First, you can only use group poli-

10 Mobile Devices Up the Security Ante in Health Care


k Me e ting Te chnical Requir ements f or Mobil e Depl oyment s
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

cies to manage devices that can be such as the iPhone or the Android
enrolled in a Windows domain. To phones.
the best of my knowledge, the only Although the primary job of Active-
mobile operating systems that fit this Sync is to push messages to mobile
criterion are Windows Mobile 6.1 and devices, ActiveSync can also be used
Windows Mobile 6.5. Even Micro- to provision and secure mobile devic-
softs latest Windows Mobile operat- es. For example, you can use Active-
ing system, Windows Phone 7, does
Editors Letter not include the required functionality.
The other limitation is that your You can use Active-
existing group policy settings will not
Sync policies to
Mobile
Security
apply to mobile devices that have
require devices to
Trends
been enrolled in the domain. Instead,
Supporting
Wireless
System Center Mobile Device Man- adhere to a certain
Devices ager provides a completely separate
set of group policy settings that are
password policy or
Meeting specifically designed for use with to disable certain
Technical
Requirements
mobile devices. These settings are, mobile device features
for Mobile however, accessible through the such as removable
Deployments Group Policy Editor.
storage or the built-
in camera.
Using Exchange ActiveSync
As strange as it sounds, one of the
best tools for managing mobile Sync policies to require devices to
devices is Microsoft Exchange adhere to a certain password policy
Server. In case youre not familiar or to disable certain mobile device
with Exchange Server, it is Micro- features such as removable storage
softs enterprise email application. or the built-in camera.
Exchange Server uses a protocol Keep in mind, however, that even
called Exchange ActiveSync to send though the vast majority of tablets
email to mobile devices. and smartphones support Active-
So what does this have to do with Sync, not all of the ActiveSync policy
mobile device management? Well, settings are supported on every
Exchange ActiveSync is an industry device. If you are considering Active-
standard. It is supported by Windows Sync as a mechanism for provisioning
devices, but it is also supported by and securing mobile devices, then
tablets and by non-Microsoft devices you will need to verify that the policy

11 Mobile Devices Up the Security Ante in Health Care


k Me e ting Te chnical Requir ements f or Mobil e Depl oyment s
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

settings that you want to use will


work with your chosen devices.

Using Proprietary
Management Tools in Mobile Mobile Devices Up the Security Ante in Health
Health Care Deployments Care is a SearchHealthIT.com e-publication.
Even though Microsoft Exchange can
Jean DerGurahian
Editors Letter be used as a cross-platform manage- Editorial Director
ment tool for mobile devices in health
Mobile
Security
care settings, it is no substitute for a Anne Steciw
mobile device management platform Site Editor
Trends
that is designed specifically for the Craig Byer
Supporting mobile devices that you use. Assistant Site Editor
Wireless
Devices That being the case, if you have
Don Fluckinger
made the decision to use only a spe- Features Writer
Meeting cific type of mobile device, then see
Technical if the device manufacturer offers a Nari Kannan, Brien Posey
Requirements Contributing Writers
for Mobile management product for the devices.
Deployments For example, BlackBerry offers a Linda Koury
management product called Black- Director of Online Design
Berry Enterprise Server.
Stephanie Corby
There are also a number of third- Associate Publisher
party products for managing mobile scorby@techtarget.com
devices. Even so, every mobile oper-
TechTarget
ating system has different capabili- 275 Grove Street, Newton, MA 02466
ties, so even if a product claims to www.techtarget.com
offer cross-platform support, there
2012 TechTarget Inc. No part of this publication may
is a good chance that some manage- be transmitted or reproduced in any form or by any
ment capabilities will be omitted for means with written permission from the publisher.
TechTarget reprints are available through The YGS
some devices. Some software ven- Group.
dors have also been known to omit About TechTarget: TechTarget publishes media for
certain management capabilities information technology professionals. More than 100
focused websites enable quick access to a deep store
from their wares just so that they can of news, advice and analysis about the technologies,
products and processes crucial to your job. Our live
provide a consistent management and virtual events give you direct access to indepen-
experience. Thats why you are best dent expert commentary and advice. At IT Knowledge
Exchange, our social community, you can get advice
off using a device-specific manage- and share solutions with peers and experts.
ment product if possible. n

12 Mobile Devices Up the Security Ante in Health Care

Vous aimerez peut-être aussi