Here is latest installment from the HIMSS Privacy and Security Committee…called PSST! Keep reading to learn more about the column and this month’s topic – Privacy and Security in a Mobile World, from Jason Zellmer, Director – Information Security, Kaiser Permanente and HIMSS P&S Committee Member.
by Jason Zellmer, HIMSS Privacy & Security Committee Member
Mobile platforms are increasingly expanding into everything we do. Recent market analysis shows that around half of US adults own a smartphone, and about 20% own a tablet. As users adopt their daily routines to these devices, they also expect the same conveniences in their work environment.
Healthcare is no exception, and mobility fits the care delivery model well. Care providers are constantly on the move, from room to room, building to building, or even home to home. The efficiencies are easy to imagine, but what about the risks? Many healthcare data breaches are due to lost or stolen laptops, what happens when that data resides or is accessible on an even smaller (and easier to lose or steal) device?
In this post, we will explore some of the macro level concerns to get you thinking about how to identify and address privacy and security concerns in your mobile use cases. In addition, there are a number of great resources to go more in-depth, including the HIMSS Mobile Security Toolkit, the mHIMSS Privacy and Security Page, and a couple of key conferences coming up in December (the mHealth Summit, and the Privacy and Security Forum).
When considering the security of a mobile device, it really is not much different from that of a laptop, a portable device with access to your network and data. However, a recent article on mHIMSS points out that although 90% of companies are allowing some sort of mobile access, only 32% are taking steps to secure the devices (compared to 82% having security applied to laptops).
So, where does one start to secure them?
There are three main areas to consider:
- Managing the device,
- Managing the data, and
- Defining the use cases your company will support.
Mobile Device Management (or MDM), has come a long way in the past few years. These technologies allow you to enforce security policies on the devices, such as screen lock time-outs, password settings, and issue a remote data wipe command, if the device is lost. These tools and settings help reduce the risk of a lost or stolen device being accessed. Additional policies, such as requiring the device storage to be encrypted, can help ensure even if a device goes missing, your data is still safe.
Managing the data on the device has a few more options.
First, the best option is to keep your sensitive corporate data off the device completely. This can be accomplished by use of mobile apps that do not store data locally, but rather, always pull it from an internet location when launched. However, this has drawbacks; namely, it only works with a good internet connection.
Also, the speed and performance of these apps or mobile websites are not as efficient as those on the device. If an app is going to store data locally, there are a few common approaches.
The most secure is a “container,” where the data is part of the application. “Good” is a popular tool for email and calendar that takes this approach. Good also demonstrates the drawbacks of this approach. For instance, if you try to open an attachment, it can only open in the Good view, and you cannot use other tools to modify the documents.
That brings the last option, which is storing data on the device. This is the least secure, but performance or other reasons may make it the best choice. In all cases, encryption of corporate data should be mandatory.
I have highlighted a few areas on how to approach managing mobile devices and data, but how do you know what approach to use and when?
This is where defining your use cases is a critical component. Common use cases include:
- network and fileshare access; and
- access to company applications.
Each of these raises the bar on the type of data the device may have access to. In the case of providing care, the company application may very well be your EHR system, making the loss of the device a reportable event, if controls are not applied.
In addition to the technical use cases, there are procedural issues that should also be considered with HR and Legal. Some examples are:
- appropriate use of corporate devices;
- mobile usage agreements (There are cases of employees suing for overtime, because they said they were expected to check email off hours.); and
- reimbursement for data plans.
If you put some basic policies in place, and carefully think through your use cases and the data, mobile platforms can be a win for both productivity and security.
I hope this helps get you started down that path. We also hope you found this month’s topic for PSST! to be encouraging in the important work that you do. Please share these thoughts with others and leave us a comment here on the HIMSS Blog.
Have an idea for a future “PSST!?” Contact Lisa Gallagher, senior director, privacy and security at HIMSS, firstname.lastname@example.org.