The BYOD Tightrope: Balance User Demands and Your Organization's

Risk Tolerance

Panel Members – Introduction

• Michael Boyd CISO Providence Health & Services

• Robert Thibadeau SVP, Chief Scientist Wave Systems

• Tom Walsh President tw-Security

• Jason Zellmer Exec. Dir., Technology Risk Management Kaiser Permanente

Objectives

• Provide an overview of the proliferation of personal mobile devices (trends)

• Identify the primary threats and risks associated with mobile devices

• Discuss some of the decision factors for implementing BYOD

• Describe safeguards and controls

• Explain firsthand experiences with some of the operational challenge

Trends • Mobile devices went from “company

issued” to “personally-owned” – Bring Your Own Device (BYOD)

• New mobile devices are being released at a rapid pace

• Sales of Apple iPads and iPhones are up • Many technicians in healthcare are Microsoft

certified, but are not Apple certified • Mobile devices are being used to

communicate patient care • Because of their size and mobility,

laptops, tablets, and smartphones are vulnerable to being lost or stolen

Reasonably Anticipated Threats

• Theft or loss

• Unauthorized access – Users storing unsecured confidential information

• Malicious code

• Unauthorized or unlicensed software or unsigned applications

• “Jailbreaking” (Apple) or “Rooting” (Android) – accessing a device’s root file system

• Electronic eavesdropping or interception of unsecured and public wireless transmission

Safeguards and Controls

• Policy and user agreements • How was the policy developed and

communicated? Who was involved? • Can workforce members send text messages with

PHI or images of patients? • How is PHI accessed? Where is PHI stored?

• Mobile device management [MDM] tools

• What are you currently using?

Decision Factors for Implementing BYOD

• Business drivers and use cases • Decision factors to move forward with BYOD

• Workforce issues • Inclusion/exclusion (union, hourly, etc.) • Levels of access (role-based) • Compensation issues (stipend) for using personal

phone for conducting business • Non-employees

• BYOD strategy • “One size does not fit all”

Operational Challenges

• Supported / allowed versus prohibited mobile devices in the workplace

• Issues concerning personal devices carried by patients and other visitors

• Common security mistakes made by clinicians in using mobile devices

• Lessons learned from any near misses or actual incidents of data leakage or unauthorized disclosures (breaches to PHI)

HIMSS Mobile Security Toolkit http://www.himss.org/library/healthcare-privacy-security/mobile-security-toolkit?navItemNumber=13512 The HIMSS mHealth Roadmap http://www.himss.org/mobilehealthit/roadmap HIMSS Privacy & Security Toolkit http://www.himss.org/library/healthcare-privacy-security/toolkit Department of Health and Human Services Your Mobile Device and Health Information Privacy and Security http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security Healthcare IT News (webinars and white papers) http://www.healthcareitnews.com

Questions

Thank You