Real-world BYOD security
|By Free, Jason|
BYOD security strategies from two distinct healthcare organizations.
Whether your facility has a formal "bring your own device" (BYOD) policy or not, chances are good that personal devices are operating on your site. This fact is a critical consideration given that to be compliant with the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations must create policies and processes that take on managing, classifying and maintaining real-time knowledge of all network activity, regardless of whether the activity is conducted on company or personal devices. These sets of tasks can be herculean efforts even for facilities with a large IT staff and robust technology options.
Below are the profiles of two healthcare organizations currently employing BYOD in secure and efficient environments. They each represent the opposite ends of the spectrum in terms of size and types of BYOD use, however, upon close examination, they possess common points that reveal core strategies that all facilities may employ when trying to establish and maintain a secure, user-friendly outside device policy.
Located about 45 miles east-southeast of
"We started looking at BYOD about three years ago. We had a lot of people bringing in mobile devices and, actually, our CEO came in with his iPad one day and asked to be hooked up to our network. That was kind of the writing on the wall for us," says Roberts. "We knew we were going to have to have some type of policy and process in place for allowing outside devices on our systems. We needed to decide whether or not some devices would access patient health information and then how to make them secure and keep HIPAA compliance."
Many facilities have turned to virtual desktops to meet the need of BYOD and HIPAA demands. Roberts feels such a strategy is not a good fit for
"We looked at virtual desktops," says Roberts. "For small facilities like ours, however, it's kind of a tradeoff right now, as far as cost and the resource allotment that we would need. We're talking about less than 10 users that are actively using remote-type services outside of the facility, or coming in and out with devices. A lot of the strategies like virtual desktops that make sense for a bigger facility will make sense for us, at some point in the future, when the costs come down and the management of those types of services is within the grasp of our two-person IT department."
Rather than trying to leverage a cumbersome set of systems, Roberts sought the help of PFU, a
"To be honest with you," says Roberts, "I really didn't think they would fit with what we were doing, because we are not too concerned with outside devices being on our guest network. But I decided to beta test the devices to see what they could do."
One of the first moves Roberts made using the iNetSec products was to classify and label each hospital device with specific risk assessments attached. He also decided to create a very restrictive policy relative to who can bring their own device and what network those devices can access.
Roberts says, "I know in a lot of healthcare facilities, they have their BYOD on their production network. We don't do that. Other facilities have physicians bringing in their tablets and other personal devices, and they run clinical software on those devices. We don't allow that here. We have only a few physicians bring in their own tablets, and they access clinical applications through a remote portal. By doing this, we do not have to actively monitor those devices at the level of detail that a lot of the other facilities may. The
Roberts can now identify, monitor and prevent potential threats that are introduced from internal and external devices without causing problems for his end-users and extra IT work.
"The PFU products instantly classify our existing, as well as any new, devices to our network by what type they are, like a computer, printer, tablet, etc. We are able to build in rules in the products that say, 'Okay, if it's a printer, we'll automatically approve that device.' A printer is okay, it does not have to have a manual intervention. But if it's a Windows device, or a Mac device, it has to have a manual approve process. In these instances, we get notified via email that there's a new device detected, and it is a such-and-such model. Then we can manually approve this device and say, 'This device is okay.'"
Typically, there are no surprises for Roberts when going through this process, because most devices detected are owned by the hospital. However, if there is a device that gets noticed by the iNetSec products and Roberts cannot recognize it as being deployed by his staff, he can then take a further look at that foreign device to determine its model and the type of work the end-user is trying to accomplish.
"For instance," says Roberts, "if someone is trying to plug a computer into an open Ethernet port, we will know about that immediately and we can take appropriate action."
Another activity the iNetSec products allow is an appraisal of the total amount of data that is transferred for each application.
"That's pretty useful," says Roberts. "We pull a report once a week to take a look at where our bandwidth is going and what data is going out as far as applications, and whether it's a concern or not. If we have a lot of usage of a certain app - specifically from the guest access portal - we look for certain things, and
While the journey has not been without its perils, Roberts believes his facility has found the answer to its BYOD concerns with the iNetSec suite of products.
"The devices are very user-friendly. They are very 'fire and forget.' That level of ease is important to us, because we really don't have the resources of many other facilities. We had to find a solution that made our end users happy and enabled my tech and me to concentrate on our work rather than taking extra time for special training or to spend hours and hours looking through history logs. Most importantly, we are confident that our network is secure regardless of the devices that come on our site," Roberts says.
Healthmaster: Taking it to another level
When compared to
"When we started, laptops were just becoming adopted in academics. Wi-Fi was just coming about, and we were really running on a desktop-by-desktop basis," McGovern says. "As the Internet grew, we really wanted to be proactive. We knew that 'bring your own device' would be a growing issue because we knew that as technology miniaturized, it would start to flourish into branches that we could not even imagine at the time. While we were on the right track, we had not really envisioned what technology would become with the smartphones, iPads, iPhones and all the other mobile devices available today."
With the continual changes in the types of users and the overall IT landscape, McGovern has had to remain vigilant in his search to create a secure and efficient network at Healthmaster. In addition to being mindful of the HIPAA compliance standards that healthcare facilities must abide, McGovern and his staff also adhere to the standards of the Family Education Rights Privacy Act (FERPA). While FERPA governs education records in a school environment, medical records are considered to be a part of a student's education record as well.
"What that really means," says McGovern, "is that a student's education record cannot be dispersed or viewed or accessed by anybody who is not considered a 'officer' or an authorized person of the school district. On top ofthat, FERPA actually takes it a step further than HIPAA and it requires that we track every view, every instance, every update, every look, every delete of the student's record. We not only have to track what was changed in a student's record, we have to track who even looked at it - who glanced at the record but did not even make a modification, who might have made a modification and so on. Our level of security has to be a step beyond encryption, and we must demonstrate an actual awareness within the application on what's going on. So literally, with our records, we can go back and view a login into our system and we know, second by second, everything a user was doing in the app the entire time he or she was logged in."
While this level of audit was only possible due to the development staff at Healthmaster, it took an outside vendor, Ericom, to provide the appropriate interface.
"We built that level of audit into our own systems," says McGovern, "and by building it with the idea we were going to integrate BYOD platforms, Ericom allowed us to provide our application to any device, regardless of what platform it is on. We didn't have to worry about an iOS way of doing security or an Android way of doing security or an Internet Explorer, Chrome, Safari or Mac way of doing security."
Ericom's browser-based client provided Healthmaster with the safe environment for its users to retrieve their medical records regardless of the device or the platform they use.
"We have school districts on the west coast in
Ericom gives Healthmaster not only the flexibility to engage a variety of platforms, it also enables McGovern to manage how devices may, or may not, establish a connection with his company's network.
"We can deploy applications out on a by-user basis or by a customer group basis or by a device basis. Frankly, we can even shut out device types if we're not comfortable with the technology that they run on," McGovern says.
With limited resources, but an every-growing number of possible end points congregating on a facility's network, organizations must constantly appraise their IT environments to ensure HIPAA compliance. In terms of BYOD security, many healthcare CIOs would be wise to contemplate the need for the automated device identification practiced at
|Copyright:||(c) 2014 NP Communications, LLC|