Real-world BYOD security

BYOD security strategies from two distinct healthcare organizations.

Whether your facility has a formal "bring your own device" (BYOD) policy or not, chances are good that personal devices are operating on your site. This fact is a critical consideration given that to be compliant with the Health Insurance Portability and Accountability Act (HIPAA), healthcare organizations must create policies and processes that take on managing, classifying and maintaining real-time knowledge of all network activity, regardless of whether the activity is conducted on company or personal devices. These sets of tasks can be herculean efforts even for facilities with a large IT staff and robust technology options.

Below are the profiles of two healthcare organizations currently employing BYOD in secure and efficient environments. They each represent the opposite ends of the spectrum in terms of size and types of BYOD use, however, upon close examination, they possess common points that reveal core strategies that all facilities may employ when trying to establish and maintain a secure, user-friendly outside device policy.

Benson Hospital: Automation for a two-man IT operation

Located about 45 miles east-southeast of Tucson, AZ, Benson Hospital is a general medical and surgical hospital with 22 beds and 125 employees. Even though the size of his hospital may suggest that BYOD is not a dominant factor within his planning, the hospital's CIO, Rob Roberts, has known for some time that he had to prepare the facility to accommodate outside devices.

"We started looking at BYOD about three years ago. We had a lot of people bringing in mobile devices and, actually, our CEO came in with his iPad one day and asked to be hooked up to our network. That was kind of the writing on the wall for us," says Roberts. "We knew we were going to have to have some type of policy and process in place for allowing outside devices on our systems. We needed to decide whether or not some devices would access patient health information and then how to make them secure and keep HIPAA compliance."

Many facilities have turned to virtual desktops to meet the need of BYOD and HIPAA demands. Roberts feels such a strategy is not a good fit for Benson Hospital.

"We looked at virtual desktops," says Roberts. "For small facilities like ours, however, it's kind of a tradeoff right now, as far as cost and the resource allotment that we would need. We're talking about less than 10 users that are actively using remote-type services outside of the facility, or coming in and out with devices. A lot of the strategies like virtual desktops that make sense for a bigger facility will make sense for us, at some point in the future, when the costs come down and the management of those types of services is within the grasp of our two-person IT department."

Rather than trying to leverage a cumbersome set of systems, Roberts sought the help of PFU, a Fujitsu company. He knew they had a line of products called iNetSec Inspec- tion Center and iNetSec Smart Finder that is designed to assist in detecting, identifying and authenticating devices on a network, but he, admittedly, had his initial doubts.

"To be honest with you," says Roberts, "I really didn't think they would fit with what we were doing, because we are not too concerned with outside devices being on our guest network. But I decided to beta test the devices to see what they could do."

One of the first moves Roberts made using the iNetSec products was to classify and label each hospital device with specific risk assessments attached. He also decided to create a very restrictive policy relative to who can bring their own device and what network those devices can access.

Roberts says, "I know in a lot of healthcare facilities, they have their BYOD on their production network. We don't do that. Other facilities have physicians bringing in their tablets and other personal devices, and they run clinical software on those devices. We don't allow that here. We have only a few physicians bring in their own tablets, and they access clinical applications through a remote portal. By doing this, we do not have to actively monitor those devices at the level of detail that a lot of the other facilities may. The Fujitsu products give us that much-needed freedom."

Roberts can now identify, monitor and prevent potential threats that are introduced from internal and external devices without causing problems for his end-users and extra IT work.

"The PFU products instantly classify our existing, as well as any new, devices to our network by what type they are, like a computer, printer, tablet, etc. We are able to build in rules in the products that say, 'Okay, if it's a printer, we'll automatically approve that device.' A printer is okay, it does not have to have a manual intervention. But if it's a Windows device, or a Mac device, it has to have a manual approve process. In these instances, we get notified via email that there's a new device detected, and it is a such-and-such model. Then we can manually approve this device and say, 'This device is okay.'"

Typically, there are no surprises for Roberts when going through this process, because most devices detected are owned by the hospital. However, if there is a device that gets noticed by the iNetSec products and Roberts cannot recognize it as being deployed by his staff, he can then take a further look at that foreign device to determine its model and the type of work the end-user is trying to accomplish.

"For instance," says Roberts, "if someone is trying to plug a computer into an open Ethernet port, we will know about that immediately and we can take appropriate action."

Another activity the iNetSec products allow is an appraisal of the total amount of data that is transferred for each application.

"That's pretty useful," says Roberts. "We pull a report once a week to take a look at where our bandwidth is going and what data is going out as far as applications, and whether it's a concern or not. If we have a lot of usage of a certain app - specifically from the guest access portal - we look for certain things, and Fujitsu uses a risk-level rating scale for each application. The products rate these different apps, so we can quickly take a look and see if there is something we might need to be concerned about. If we are seeing a lot of traffic, we can deal with that appropriately. We can block it or take a closer look and see why those particular apps are being used in our facility. Over the last couple of months, we found quite a few P2P apps that were problematic that I did not realize were being used in the facility on the guest side. With the new information in hand, we were able to take the appropriate actions."

While the journey has not been without its perils, Roberts believes his facility has found the answer to its BYOD concerns with the iNetSec suite of products.

"The devices are very user-friendly. They are very 'fire and forget.' That level of ease is important to us, because we really don't have the resources of many other facilities. We had to find a solution that made our end users happy and enabled my tech and me to concentrate on our work rather than taking extra time for special training or to spend hours and hours looking through history logs. Most importantly, we are confident that our network is secure regardless of the devices that come on our site," Roberts says.

Healthmaster: Taking it to another level

When compared to Benson Hospital and its BYOD practices, Healthmaster, a provider of digital solutions for school health offices, in is monolithic in stature.

Based in Walled Lake, MI, Healthmaster is responsible for maintaining the medical records for 100 to 125 K-12 school districts in 16 countries, encompassing more than 1,500 users possessing approximately 350 different device models.

Steven McGovern, Director of Technology, has the responsibility of ensuring that each end point can receive and transmit its medical records from the Healthmaster network in an efficient and secure fashion. While BYOD may be an emerging issue in healthcare, it has been present in education for nearly two decades.

"When we started, laptops were just becoming adopted in academics. Wi-Fi was just coming about, and we were really running on a desktop-by-desktop basis," McGovern says. "As the Internet grew, we really wanted to be proactive. We knew that 'bring your own device' would be a growing issue because we knew that as technology miniaturized, it would start to flourish into branches that we could not even imagine at the time. While we were on the right track, we had not really envisioned what technology would become with the smartphones, iPads, iPhones and all the other mobile devices available today."

With the continual changes in the types of users and the overall IT landscape, McGovern has had to remain vigilant in his search to create a secure and efficient network at Healthmaster. In addition to being mindful of the HIPAA compliance standards that healthcare facilities must abide, McGovern and his staff also adhere to the standards of the Family Education Rights Privacy Act (FERPA). While FERPA governs education records in a school environment, medical records are considered to be a part of a student's education record as well.

"What that really means," says McGovern, "is that a student's education record cannot be dispersed or viewed or accessed by anybody who is not considered a 'officer' or an authorized person of the school district. On top ofthat, FERPA actually takes it a step further than HIPAA and it requires that we track every view, every instance, every update, every look, every delete of the student's record. We not only have to track what was changed in a student's record, we have to track who even looked at it - who glanced at the record but did not even make a modification, who might have made a modification and so on. Our level of security has to be a step beyond encryption, and we must demonstrate an actual awareness within the application on what's going on. So literally, with our records, we can go back and view a login into our system and we know, second by second, everything a user was doing in the app the entire time he or she was logged in."

While this level of audit was only possible due to the development staff at Healthmaster, it took an outside vendor, Ericom, to provide the appropriate interface.

"We built that level of audit into our own systems," says McGovern, "and by building it with the idea we were going to integrate BYOD platforms, Ericom allowed us to provide our application to any device, regardless of what platform it is on. We didn't have to worry about an iOS way of doing security or an Android way of doing security or an Internet Explorer, Chrome, Safari or Mac way of doing security."

Ericom's browser-based client provided Healthmaster with the safe environment for its users to retrieve their medical records regardless of the device or the platform they use.

"We have school districts on the west coast in Oregon who predominantly only use Chromebooks that present their own unique challenges. We have other school districts who have iPads and iPhones and Galaxy tablets and generic Android tablets, PC desktops from Windows XP up to Windows 8.1 plus experimental, all that from Microsoft. We are spread across a spectrum. We have some people who are using Microsoft's mobile platforms and thin clients."

Ericom gives Healthmaster not only the flexibility to engage a variety of platforms, it also enables McGovern to manage how devices may, or may not, establish a connection with his company's network.

"We can deploy applications out on a by-user basis or by a customer group basis or by a device basis. Frankly, we can even shut out device types if we're not comfortable with the technology that they run on," McGovern says.

Conclusions

With limited resources, but an every-growing number of possible end points congregating on a facility's network, organizations must constantly appraise their IT environments to ensure HIPAA compliance. In terms of BYOD security, many healthcare CIOs would be wise to contemplate the need for the automated device identification practiced at Benson Hospital or the level of platform flexibility Healtmaster possesses. By engaging in this effort to develop a true, yet evolving picture of their needs and limitations, Benson Hospital and Healthmaster have not only created their own secure BYOD policies and processes, but they have provided outside organizations with invaluable insights into possible paths toward their own HIPAA compliance as well. HMT

By Jason Free, Features Editor