Mobile Device Security
Bring Your Own Device (BYOD)
As the demand for smart phones and tablets increase, so has the consumer and business mobile device markets converged into one market. Today, a device used in business looks very similar to a device used by a consumer and actually, the computing power in a mainstream consumer smartphone or tablet is more than sufficient for the needs of a business user. The convergence of personal and business technology needs has birthed Bring Your Own Device (BYOD) programs in the Government agencies and private entities. Many companies who have adopted Bring Your Own Device (BYOD) solutions report that allowing employees to use their personal mobile devices to access company resources often results in increased employee productivity and job satisfaction. By embracing BYOD, employers can address the personal preferences of its employees, offering them increased mobility and better integration of their personal and work lives. It also enables employees the flexibility to work in a way that optimizes their productivity.
But there are risks to relying on employee devices to meet business needs: Security Risks
- Devices must be configured and managed with information assurance controls commensurate with the sensitivity of the underlying data as part of an overall risk management framework.
- Myriad of security, policy, technical, and legal challenges not only to internal communications, but also to relationships and trust with business and government partners.
- The sensitivity of the underlying data and the amount of processing and data storage allowed on the personal device based on the technical approach adopted.
- Considered for the majority of contractors, interns, consultants and other workers not directly employed by the enterprise, who also use their personal devices.
- Corporate, infrastructure and software risks/costs of implementing a BYOD program
- A BYOD program typically requires includes security protections and delivery mechanisms
- Information security (operating system compromise due to malware, device misuse, and information spillover risks)
- Operations security (personal devices may divulge information about a user when conducting specific activities in certain environments)
- Information transmission security (mitigate interception)
- Federal Government standards for processing and storing information
- Assess data security with BYOD versus the devices being replaced
- Securely architect systems
- Privacy: Identify the right balance between personal privacy and organizational security
- Asset management: Disposal of device if replaced, lost, stolen, or sold, or employment is terminated (must remove government information before disposal)
It has been reported that the majority of consumers have adopted or are ready to adopt mobility to manage their health. Ultimately, empowering the enterprise will significantly enhance the provider/ patient relationship and improve care as both patients and providers are utilizing the same systems to access critical data.
Typical mobile devices like smartphones and tablets are driving communication and information sharing, including healthcare mobility. Healthcare providers in the United States continue to face more regulations and relentless pressure to provide higher quality and easily accessible care that also protects patients' privacy, keeping their Information accurate and confidential.
Since the benefits from mobility in healthcare cross from provider to patient, and unlike mobility models in other industries, enterprise and end user needs are often the same, improvements to productivity and collaboration in the enterprise tend to result in improved safety and services for the patient.
Clearly mobile devices will create new security challenges for healthcare facilities IT professionals. With HIPAA policies in place and countless other regulations, security must literally be guaranteed. Companies who suffer data breaches risk huge fines. Specifically, some of the challenges include:
- Content management: A central data repository from where data gets pushed to mobile devices in a way that keeps the data protected, secure and encrypted at all times.
- Shared devices: Hospitals typically use shared devices to curb costs. These devices are not tied to individuals, but are rotated through the care staff. The right technology can enable a user to register to a specific device so all of the information they need (e-mails, apps, contacts, schedule) is synced to the device Then, at the end of the day, they push a few buttons to wipe all of their information from the device.
- Secure Web Access: With increased interest in Accountable Care Organizations (ACO), hospitals need to collect survey information from patients and they may be asked to fill out the survey using an iPad. Secure web access is a must
At Diligent eSecurity, we believe the best strategy to deal with the rise of BYOD and Health is to address it with a combination of policy, software, infrastructure controls and education in the near term, and with application management and appropriate cloud services in the longer term. Diligent eSecurity offers the following best practices services:
- Organization-specific BYOD policies; guidelines on who is eligible or not for the program
- New employee agreements for support, risk and responsibility
- Adjustments to service levels; service desk training
- Employee education and training
- IT publishing specifications on acceptable devices
- Continuous Monitoring