- BOSTON – A common theme throughout the HIMSS Privacy and Security Forum this week was acceptance of risk and how much is tolerable for a healthcare organization. The benefit versus risk debate becomes even more interesting when weighing an organization’s user needs against security threats as it decides whether it should allow BYOD.
From policy considerations to technology decisions, BYOD remains an important issue in healthcare. Speakers who took part in the Balance User Demands and Your Organization’s Risk Tolerance discussion went into detail regarding their BYOD strategies and how they have evolved over time.
Jason Zellmer, Executive Director of Technology Risk Management at Kaiser Permanente, laid out the core principles to Kaiser’s pilot BYOD strategy that it’s developing with its HR department. Zellmer’s points were interesting in that Kaiser previously didn’t allowed BYOD at all and is now looking into potential benefits and risks of allowing these devices. Zellmer and Kaiser are looking at the policy for how it would [allow BYOD], because that’s the trend Zellmer is seeing. He said that about 80-90 percent of organizations say they have some type of personally owned devices, whether it’s phones, tablets or PCs, on their networks and the organization has shifted its thinking from “no” to BYOD to what are they going to allow?
We took a step back and looked at the use cases that our users are demanding. One is email and calendar, which is pretty straightforward. But then people also wanted applications that have access to our EHR and claims systems, which obviously present different risk profiles for our company. So we started to understand what clinicians wanted to use the devices for, what the risks are, and the line we need to draw as an organization to move forward. We drafted a policy that [indicated] which data is allowed on the device, which data isn’t, and the safeguards that need to be in place.
Michael Boyd, Chief Information Security Officer (CISO) at Providence Health & Services, has had a similar BYOD experience to Zellmer in that the policy lies somewhere between those organizations that don’t allow any BYOD and those that allow everything.
We have set a firm baseline that said if the device data or the device can’t be encrypted, you can’t connect. From a device synchronization perspective, there were some older personally owned devices that we said no to because they couldn’t be encrypted. But in the intervening five years, the landscape has changed astronomically. Our view now is that we prefer if you’re not going to use one of our devices, you connect [with your device] via a virtualized application or virtualized desktop. That way, we handle all of the data remnants and encryption, which vastly reduces the data footprint that’s outside of the perimeter.
When developing BYOD policy, Boyd said it’s critical to pick a spot somewhere along the spectrum of risk and, like Zellmer, to focus on use cases. Providence doesn’t really distinguish personally owned from corporate devices in terms of those minimum control requirements, just how it delivers them.
Protecting the data with mobile device management
Many have said that mobile device management (MDM) really isn’t cutting it, but some have said it’s at least a starting point. Zellmer and Boyd discussed their MDM philosophies and technologies currently in place.
“We’re using a mix. We have the native Microsoft Exchange ActiveSync for BYOD Exchange-only connectivity and we’re using Citrix XenMobile for corporate-liable devices and piloting true BYOD devices on there as well,” Boyd said. “Additionally, we’re using the native application management features with our EHR vendor.”
Zellmer reminded the audience that Kaiser is only piloting BYOD and don’t have any tools yet for personal devices, but it will use a tiered strategy.
I think MDM tools are very good for knowing that a device is centrally managed and encrypted and that you’re not letting it into your services unless the devices is registered. But then when start to go further down those complicated use cases where a lot of sensitive data is being accessed, that’s where we’re looking at application security layers. This includes containers or just using a virtual view onto the network without any data being stored on the device.