One of the hottest topics between among healthcare IT managers is the BYOD management technology. After a few iterations of various solutions that have already hit the market – the mobile security management conversation has evolved from BYOD and IT consumerization to the topic of data mobility. What does your healthcare organization really want to control? Does it make sense to manage the physical device or simply the workload that’s being delivered to it? How can the healthcare organization securely deliver data and applications to user devices that don’t really belong to them?
These types of questions have come from one simple evolution within the healthcare security and IT world: The management of physical devices has progressed much further with more data, users and many more devices. In creating a secure solution, there needs to be an understanding of the security and management layers within the mobility and device control environment.
Device-layer security: This is where mobile device management (MDM) solutions fall into place. For organizations looking to purchase, control and distribute their own mobility devices – MDM is the way to go. Usually, you’re able to integrate both application and device security into this type of solution. Still, the goal here is to have complete control over the hardware. This means knowing where the device is at all times, locking down the OS, and allowing the user to still work productively. MDM solutions are very popular and technologies from Cisco, AppSense and Citrix are helping organizations deploy solid device management platforms. Device-layer security means that tracking, full wipes of the device and automated process can all be done at the control of the healthcare organization. Furthermore, the device can be compliant to a wide array of regulations. For example, if the device leaves a certain geographical region – it can be told to lock from a remote location.
Application-layer security: This type of technology is referred to as mobile application, or simply, mobile application management (MAM). The idea is to logically segment the physical device and the applications that are being delivered. New security platforms are allowing healthcare administrators to create micro-virtual private networks (VPNs) that are application specific. This means that mobile devices won’t need a VPN client to connect into a corporate Intranet. Rather, the device can authenticate and have access to internal resources based on the application that they need. In this scenario, the user can still use their device instead of a corporate one. The key difference is that the device would have a client on it that would separate the user’s personal information (or as some say, “walled off”) from the corporate data. These devices can still be tracked and controlled to an extent. In some cases, healthcare administrators can still do a full wipe of the device. However, at the least, they’ll still be able to manage the corporate applications that are being delivered. Should those need to be removed, updated or in any other way controlled – this can still be accomplished.
Data-layer security: The constant need to secure data holds especially true for the healthcare world. Now, as an added layer to the security model, information delivered to end-point devices over the cloud can be secured and controlled. New types of file and data sharing solutions take data security to a new level. Healthcare organizations are able to recreate Dropbox-like environments within their own data center walls. This means full control over the data, where it’s being delivered, who is accessing it and how it’s being shared. Furthermore, these technologies directly integrate with both MDM and MAM solutions. Now, healthcare organizations can regionally lock down where their information is being accessed and still synchronize it with many dispersed users. In fact, data-layer security and integration technologies now allow administrators to replace “My Documents” and home directories with these data-access platforms. This means that users will always have their information available to them within their familiar desktop settings.
User-layer security: The technology around user control has progressed quite a bit. Now, administrators are able to secure the end user by abstracting the settings and profile layer. This means that settings, personalization elements, and other user-related data can be delivered to any device on any operating system (OS). Administrators are able to place the user’s settings into a container and allow it to carry over to various platforms. This means that working with different version of software or even OSes no longer becomes an issue. Profile security, bloating and corruption challenges are pretty much eliminated since the standard user-control mechanisms are no longer being utilized. Instead of allowing services such as Microsoft to manage profiles and user settings, the job is transferred to a database that is replicated and secured.
More users are going to be asking to take part in BYOD programs, but not because the current environment is in any way deficient. It’s really a matter of mobility and ease of use and if a user is able to be more productive when utilizing their device to access information on the move, why wouldn’t an organization provide that service? The challenge has always been security and management. Now, with improved logical controls and data segregation technologies, mobility and consumerization solutions are not only affordable, they can also scale and provide a lot more flexibility for the end user.
Bill Kleyman, MBA, MISM, has heavy experience in network infrastructure management. He has served as a technology consultant and taken part in large virtualization deployments while be involved in business network design and implementation. He is currently the Virtualization Architect at MTM Technologies Inc. and his prior work includes Director of Technology at World Wide Fittings Inc.