Imprivata’s David Ting talks about the basics of effective BYOD for your healthcare organization in successfully establishing mobile security.
Today, mobile technologies are changing the way we work and play. No doubt, there are benefits to tapping into the multi-screen world—but if you’re considering enacting bring your own device (BYOD) practices into your health organization— Imprivata’s David Ting warns not to enter the endeavor lightly. For all that glitters (or glows) from tablets and touch screens is not gold.
“There’s no question that mobile is a convenient, efficient means of sharing information, particularly for an industry like healthcare where every second counts,” said Ting, CTO and co-founder of the healthcare IT security company based in Lexington, MA. “However, healthcare faces unique BYOD challenges because of privacy and security regulations, so it is important for CIOs to understand the risks and approach the problem with the right mindset.”
According to a report published by Ponemon Institute and Health Information Trust Alliance, 94 percent of health organizations surveyed (80 in total) had experienced at least one data breach in the last two years. The survey also estimated that US health organizations lose $6.78 billion annually due to lost or stolen data; not exactly ideal for an industry where patient privacy and HIPAA compliance is paramount.
Those findings suggest that healthcare organizations need to pay closer attention to their BYOD efforts to avoid such data dilemmas. According to Ting, you first have to firmly decide if you’re for or against BYOD all together. When it comes to BYOD, there’s a lot to consider and little room for ambiguity.
Of course, some organizations don’t want to enact BYOD policies because there are too many devices or device types to support. Larger mobile devices like iPads may call for even greater system requirements, and there are infrastructure issues to deal with. “Do you have the Wi-Fi coverage or will this put added burden on your network? It’s important to think about these questions because BYOD does create challenges not only for the IT organization in setting up the security, but also can be a nightmare for desktop support,” said Ting.
Those wanting to stave off enacting BYOD can buy themselves some time by being vocal about such concerns. Still, mobile device use isn’t going away. According to Allied Health World, there are more than 40,000 mobile health apps on the market for smartphones and tablets today. Although not all of those apps are primed for physician use, there are many that are catching the eyes of those on call.
Thus, BYOD may be an inevitable reality for many health organizations, unless of course, they prefer the more costly alternative of deploying pre-authorized internal devices, which defeats the purpose of BYOD. However, with the right tools and techniques, health organizations can enact BYOD practices effectively. Here’s a look at what he considers to be the basics of effective BYOD enactment:
While policy is often deemed the guiding doctrine to any sound BYOD effort, Ting says that there may be something even more powerful to draw from when enacting BYOD—like a proactive, precautionary perspective.
“Any time you bring a new device into your system, think of it as already compromised,” he said. “It’s a device you have no control over that has been used as a personal device rather than a professional instrument. It could have malware on it. It may have none, but the weakest link is where your breach is going to be, so it’s imperative to begin your BYOD plan with that assumption.”
Starting with that point of view can help you efficiently evaluate the risks of having an “unclean machine” on your network. From there, you need to investigate what your clinicians really need on their mobile devices and whether that requires unilateral or bidirectional access.
Once you get a handle on what type of access you need, you can start creating the infrastructure to support that access be it through a browser, hosted desktop or hosted application. It’s best to do your homework on what works best for your organization because your selections have huge implications on how your system can be made secure, how much data can be stored locally, and what happens to a device that falls into the wrong hands. “Again, it’s about building the surface area you need, and then, working back to safeguard that surface area from being compromised,” said Ting.
Addressing the security issues associated with BYOD may seem daunting. However, Ting said that ensuring you have the right technical safeguards is no different than establishing remote access for your IT system. “It’s a remote access issue, so treat it that way,” he said. “How do I guarantee the integrity of the endpoint? Today, you have to enforce endpoint security. You want to make sure your endpoint is secure and has the means to authenticate the user.”
It sounds like a tall task, but Ting said there are tools that can help you maintain the integrity of those endpoints efficiently, like Imprivata’s OneSign Anywhere. The secure solution provides strong authentication and application single sign-on (SSO) capabilities for unmanaged devices at remote locations or within an organization. The product works similarly to Imprivata’s OneSign platform for desktop systems.
OneSign Anywhere was specifically designed for remote access, however. The solution allows you to control the internal applications you want to expose by providing granular access. “It’s a selective way to reduce the surface area of all your internal applications to one or two, and to have it managed securely,” Ting said. “It’s also nice and easy to support; there’s no software at the endpoint, and it eliminates password headaches.”
Regardless of how you choose to protect your endpoints, Ting said that’s where the solution to effective BYOD security lies. “Reducing the exposure for being compromised is priority number one, because it will happen. The question is—will you be ready when it does?”
It’s not surprising that transparency of your security efforts is important. But Ting brings it up not as a reminder about the importance of policy or practice, but as a warning not to rely on it. “Transparency is extremely important, but you can achieve it by having the right tools to support your BYOD efforts. Tools like OneSign Anywhere don’t require the user to understand the safeguards that are in place. Their goal is to get their jobs done. The definition of bad security is when everything is left up to the user to secure.”
Ting certainly gives us plenty of food for thought as far as BYOD is concerned. A great deal of effort and investment is involved in any BYOD endeavor, no doubt. It’s still a fairly new practice. Perhaps technology needs to evolve a bit more before hesitant health organizations warm up to the idea—or as Ting suggests—perhaps it’s the thinking behind BYOD that needs to evolve.
“You won’t be able to anticipate every obstacle that stands in your way, but changing the way you think about the problem to assuming your devices are already compromised is one of the best defensive mechanisms you can employ.”