- Most healthcare CIOs will agree that mobile device security weighs heavily on their minds when analyzing 2013 initiatives. There is a multitude of dynamics at play, such as who’s using the device, the level of access available for different types of staff and the type of control the organization has over protected health data (PHI) on that device. Combined with new HIPAA Data Breach Management (link) rules and the constant flow of new healthcare security threats, deciding upon a mobile device strategy is certainly top of mind.
Ed Ricks, Vice President of Information Services and CIO at Beaufort Memorial Hospital, explained to HealthITSecurity.com that the organization allows BYOD but is in the process of looking for the best way to manage it. Ricks and the IT staff can currently remove privileges and jam email, but he thinks their device management can be improved upon. At the moment, Beaufort uses Imprivata’s secure text messaging application for PHI transmission. It’s able to manage those using the texting application so they have some oversight of it, but other mobile functions such as email and access to EMR systems remain a bit of a barricade at the moment.
So Ricks is on the lookout for the best secure mobile device management applications. He thinks that the device-agnostic VMware Horizon Mobile platform running on VMware infrastructure that Beaufort is beta testing may be at least part of the answer going forward. According to Ricks, this will essentially gives you a secure virtual device on your smart phone that runs on your server farm (i.e. no data stored on the phone), so that if a user cannot authenticate to it, they have no access to your corporate data.
The application basically splits the device up into two phones, your personal device with all the apps you want and then an application that launches a virtual phone that eventually would tie to our infrastructure, though right now it’s running on the VMware server. When you run the VMware application, you publish the authenticated apps such as Exchange services or access to EMR that you want people to be able to run in a secure environment. It’s all encrypted and runs on the back end servers and nothing is stored on the device at all. And features such as print screen on the phone are disabled in this environment.
In many organizations, employees are forced to allow the IT staff a certain amount of access so if they lose it or it’s been breached, the device can be remotely wiped. With the VMware View model, Ricks can just remove their ability to authenticate to the virtual phone. While the technology is similar to what some security experts call a “sandbox”, Ricks said that what’s unique about this is that it runs in a VMware environment, which many people in the organization already have set up. “So the credentialing piece is taken care of, it’s easy to publish apps to it and it’s a known entity,” Ricks said. “It’s not as invasive, just an app that can be removed.”
Ricks and Beaufort have yet to make a final decision on implementing the VMware product, but the big takeaway is how important walling off the data on a stable platform is to a CIO. The trick is to balance not being too invasive with device management while maintaining the integrity of the data and the VMware product may hold up to that. But the key is finding the best fit for your organization. “There are apps like this out there already but we just don’t have any of them,” Ricks said. “We either haven’t been able to afford them or haven’t found the right one.”