It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
0 likes1,109 views
This document summarizes a presentation on enterprise mobility and mobile security. It discusses the goals of enterprise mobility such as increasing productivity and reducing risk. It covers topics like mobile device encryption, access control, mobile device management technologies, and unexpected expenses of data protection. The presentation emphasizes that mobility is about managing data, not just the devices, and discusses privacy and security risks, best practices, and the need for a governance, risk and compliance framework when adopting mobile solutions.
It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
- 1. It's About the Data, Stupid! Real World Mobile Security www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020
- 2. Speakers Marie-Michelle Strah, Ph.D., Founder of Phydian Systems Marie-Michelle Strah, Ph.D., is a healthcare enterprise architect in the Washington D.C. area specializing in strategy, information architecture, information security and data architecture for federal and commercial clients. She is the founder of Phydian Systems LLC and an adjunct professor of Healthcare Information Technology at Catholic University of America. She brings more than 15 years of experience in enterprise architecture, healthcare, information technology management, and research and development internationally. April Sage, Marketing Director, Online Tech April Sage has been involved in the IT industry for over two decades, starting in the pre- Windows era as the founder of an IT school teaching DOS, WordPerfect, and FoxPro. In the early 2000s, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems. Since then, April has been involved in the development and implementation of online business plans and marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Marketing Director of Online Tech. www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020
- 3. GOALS OF ENTERPRISE MOBILITY • Building productivity • Reducing risk • Mobile device encryption • Access control • Policy vs. technical controls • MDM technologies – maturity? • Unexpected expenses of data protection Source: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-it-95-of-in.php 10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 3
- 4. 10/2/2012 Enterprise Mobility and Consumerization of IT CONCEPTUALIZING “MOBILE HEALTH” All content (c) 2012 Phydian Systems LLC. All rights reserved. 4
- 5. 10/2/2012 It’s NOT about the device… TWEETING ENTERPRISE MOBILITY All content (c) 2012 Phydian Systems LLC. All rights reserved. 5
- 6. 10/2/2012 mHealth: Mobile is enabler… CONCEPTUALIZING “MOBILE HEALTH” Mobile is enabler… • Patients • Providers • “Wellness lifecycle” • Productivity From “there’s an app for that” to enterprise information management lifecycle • Content delivery • Cloud and thin client Source: http://healthpopuli.com/2011/02/15/success-factor-for- mobile-health-mash-up-the-development-team/ All content (c) 2012 Phydian Systems LLC. All rights reserved. 6
- 7. Mobile Health can both: • Increase risk • Reduce risk • Practice size affects risk profile Key is: • Planning • Business Case Analyses • Master Data Management M OBILE H EA LTH : P R IVA C Y A ND S EC UR ITY R IS K S … BEYOND C OM P LIA NCE 54% of 464 HIPAA breaches affecting 500 or more individuals from 9/2001 to July 2012 involved loss or theft of unencrypted mobile devices Sources: http://www.govinfosecurity.com/interviews/onc-plans-mobile-security-guidance-i-1629 http://pinterest.com/pin/123849058473938431/ 10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 7
- 8. • Conceptualizing “mobile health” – business cases for IT infrastructure management • GRC – governance, risk and compliance in a CoIT framework • Best practices for CoIT in healthcare • Security Risk Analysis • PTA/PIA • Stakeholders • Policy vs. technical controls • Lessons learned | Considerations for the enterprise FIRST QUESTION: WHY BYOD? 10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 8
- 9. 10/2/2012 BUSINESS CASE ANALYSIS - BYOD TCO (Total Cost of Ownership) Why BYOD? Is it actually cheaper? Are you simply shifting costs? • License and account management (telecom) • Responsive design: Testing/QA/Usability • Enforcement: Policies, standards, training • Realigning enterprise architecture for BYOD mobile environment • Scaleability All content (c) 2012 Phydian Systems LLC. All rights reserved. 9
- 10. Managing human factors in mobile data THE IDEAL management Employees Contractors Partners Need to know Need to manage InfoSec IT Ops Legal
- 11. Managing human factors in mobile data THE REALITY management Employees IT Ops Contractors Partners Manage Know InfoSec Legal
- 12. THE CHALLENGE Adopting Governance and Risk Based Model to BYOD • There is no endpoint • There is no perimeter • Users own the data • NoEmployees one owns the risk Contractors Partners • Security doesn’t have control • IT Ops own the databases • IT Ops own the servers • IT Ops own the apps InfoSec IT Ops Legal
- 13. GRC FOR HEALTHCARE • Governance – organizational and IT • Risk – management and mitigation • Compliance – HITECH/Meaningful Use/42 CFR • BYOx/CoIT *must* be part of overall GRC strategy • Security Risk Analysis • PTA/PIA • Stakeholders – CPGs, workflow, training • Policy vs. technical controls 10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 13
- 14. 10/2/2012 HIGH LEVEL REFERENCE ARCHITECTURE MOBILE HEALTH Source: http://www.mobilehealthlive.org/publications/discussion-papers/a-high-level-reference-architecture-for-mobile-health/20460/ All content (c) 2012 Phydian Systems LLC. All rights reserved. 14
- 15. 10/2/2012 MASTER DATA HUB AND EXAMPLES Case Studies So it’s about the data, and… … the device, but not “just” about the device VA looks to establish BYOD mobile device management protocols (www.mhimss.org) • MDM software • Systems, network, apps supported by VA • No jailbroken devices • Wiping personal devices if compromised • Rules of behavior required if storing VA data • Personal device can be brought under VA control if needed All content (c) 2012 Phydian Systems LLC. All rights reserved. 15
- 16. HEALTHCARE INFORMATION TRANSFORMATION Master Data Enterprise Then… EIM MDM MDM2 Management Information Master Management Device Management Data- centric Device- model (or hardware) Reactive centric Posture model
- 17. MINIMUM TECHNICAL REQUIREMENTS • Policy • Wireless Encryption of Data at Rest • Data segmentation (on premise, cloud, metadata) • Customer support (heterogeneity) • Infection control Encryption of • MSIRT Data in Motion • Vendor evaluation (the myth of the “HIPAA Good Housekeeping Seal”) • Applications: APM and ALM Two Factor • Infrastructure Authentication • Costs HIPAA Security Rule: Remote Use http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
- 18. QUESTIONS? 10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 18
- 19. Upcoming Events Contact Info SecureWorld Expo Marie-Michelle Strah @cyberslate Detroit, MI, October 3rd & 4th http://www.linkedin.com/in/drstrah [email protected] www.phydiansystems.com Midwest HIMSS Des Moines, IA, November 11th-13th April Sage [email protected] mHealth Summit www.onlinetech.com Washington, DC, December 3rd-5th Main: 734-213-2020 HIMSS 2013 New Orleans, March 3rd-7th 2013, Booth # 1369 www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020