Skip to main content

HIT Security Hinges on Mobile Device Management

 |  By smace@healthleadersmedia.com  
   June 19, 2012

One of the biggest technology trends hitting healthcare this year, mobile computing, poses one of the biggest security threats to healthcare that will last for many years to come.

Just last week, my first magazine feature story for HealthLeaders explored the surge in Bring-Your-Own-Device  behavior in healthcare. As I researched the story, I became aware of efforts to improve mobile security being led by the Healthcare Information and Management Systems Society.

James Brady, PhD, is chair of HIMSS's mobile security workgroup. Brady's day job is chief information security officer and director of technical services at Hawaii Health Systems Corporation in Honolulu. HHSC operates 1,275 licensed beds across five islands in the state of Hawaii, so Brady certainly has a vested interest in getting mobile security right.

The group is most concerned with getting it right on tablets, smartphones, and laptops. That's not to say that security on other medical devices isn't of growing importance. It's just not the focus of the HIMSS group for now, and certainly there are efforts underway elsewhere in industry for those other devices.

This past 12 months the HIMSS mobile security workgroup has been busy. In 2011, it produced a mobile security toolkit to provide guidance to healthcare organizations and IT departments.

The toolkit looks at legal and regulatory aspects of mobile security in healthcare, and also includes links to a Veterans Administration case study and guidance from Forrester Research, BankInfoSecurity, and others.

Now the workgroup is creating additional resources to reflect how users access content such as videos and podcasts from their mobile devices, Brady says. The goal is provide more examples of policies currently in use, in some cases taking the policies from some health systems and anonymizing them, if that makes the health system in question more comfortable about sharing their best practices.

The biggest challenge the HIMSS committee has to wrestle with is how to deal with devices not owned by the healthcare systems, but brought to work by employees.

"Usually most organizations won't allow the iPad on the network unless it's owned by the organization, then they can have some control over the App Store and iTunes," Brady says. "I know that's an issue at my organization."

My story pointed out the increasing use of virtualized desktops to permit the use of BYOD iPads, but for Brady and others, this alternative isn't a slam-dunk, at least not yet. "Something needs to be in place to verify the end points will not incur risk to the network," he says.

Still, the group feels nothing can stop the trend of consumerization, in which consumers' device  preferences challenge businesses to adopt and accept them. It will keep going, so "organizations have to find a way to adapt to it and how to best address it," Brady says.

Today, too much of the educational material about these issues is vendor-specific, says Brady. The HIMSS workgroup aims to change that, as do I, through my story and columns such as this.

"The question is just how do you make that transition if you're a really large distributed organization?" Brady asks. "How do you get from point A, which is you don't have the virtual infrastructure to B where you have it, it's working and you're able to actually offer it to everybody?"

A phrase that came up several times in my research was data loss prevention, or DLP for short. DLP analyzes traffic on networks and detects in real time if personal health information or other sensitive or regulated information is leaving a network unexpectedly.

The HIMSS workgroup is talking about DLP and how healthcare organizations can employ this emerging technology to better manage BYOD and other mobile security threats, Brady says.

Then there's managing the mobile devices that the healthcare systems themselves are buying for their employees, both for their utility and to keep employee satisfaction high.

"You can't give somebody an iPhone or an iPad and then tell them they can't install anything," Brady says. "Everybody up to and at the management level [would] riot and revolt. They won't accept that."

Until 4 months ago, Hawaii Health itself was a Blackberry-only shop, but now that it is implementing the Siemens Sorien electronic medical records system, the organization has come up with its own policy to permit Android and iOS devices as well, Brady says.

Research in Motion, maker of the Blackberry, traditionally has been strong in the mobile device management space. A lost or stolen Blackberry quickly becomes useless to someone seeking to compromise the data on that device, due to the ability to remotely wipe the device. On the Android and iOS platforms, tools from Good Technology are performing that security duty, Brady says.

But mobile devices are made up of many parts, and if just one of them is out of whack, the efforts of health IT managers can be stymied. All mobile carriers permit installation of the Good Technology mobile device management software, except one: Verizon.

"Verizon for some odd reason wants you to have a certain plan and it's usually not a good plan, so there [have been] some problems," Brady says.

That "certain plan" would be a business plan, and BYODers would much prefer a Verizon phone with a consumer plan.

Brady does believe that the cost of the mobile device management app will end up being picked up by the healthcare organization, whether or not the device is BYOD or not. It's work related, so why wouldn't the business pay?

These issues and others will continue to bedevil CIOs at healthcare organizations. If you are interested in helping HIMSS hammer out policies and best practices, I'm sure the group would welcome your help.

Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.

Tagged Under:


Get the latest on healthcare leadership in your inbox.