The BYOD Tightrope: Balance User Demands and Your Organization's
Risk Tolerance
Panel Members – Introduction
• Michael Boyd CISO Providence Health & Services
• Robert Thibadeau SVP, Chief Scientist Wave Systems
• Tom Walsh President tw-Security
• Jason Zellmer Exec. Dir., Technology Risk Management Kaiser Permanente
Objectives
• Provide an overview of the proliferation of personal mobile devices (trends)
• Identify the primary threats and risks associated with mobile devices
• Discuss some of the decision factors for implementing BYOD
• Describe safeguards and controls
• Explain firsthand experiences with some of the operational challenge
Trends • Mobile devices went from “company
issued” to “personally-owned” – Bring Your Own Device (BYOD)
• New mobile devices are being released at a rapid pace
• Sales of Apple iPads and iPhones are up • Many technicians in healthcare are Microsoft
certified, but are not Apple certified • Mobile devices are being used to
communicate patient care • Because of their size and mobility,
laptops, tablets, and smartphones are vulnerable to being lost or stolen
Reasonably Anticipated Threats
• Theft or loss
• Unauthorized access – Users storing unsecured confidential information
• Malicious code
• Unauthorized or unlicensed software or unsigned applications
• “Jailbreaking” (Apple) or “Rooting” (Android) – accessing a device’s root file system
• Electronic eavesdropping or interception of unsecured and public wireless transmission
Safeguards and Controls
• Policy and user agreements • How was the policy developed and
communicated? Who was involved? • Can workforce members send text messages with
PHI or images of patients? • How is PHI accessed? Where is PHI stored?
• Mobile device management [MDM] tools
• What are you currently using?
Decision Factors for Implementing BYOD
• Business drivers and use cases • Decision factors to move forward with BYOD
• Workforce issues • Inclusion/exclusion (union, hourly, etc.) • Levels of access (role-based) • Compensation issues (stipend) for using personal
phone for conducting business • Non-employees
• BYOD strategy • “One size does not fit all”
Operational Challenges
• Supported / allowed versus prohibited mobile devices in the workplace
• Issues concerning personal devices carried by patients and other visitors
• Common security mistakes made by clinicians in using mobile devices
• Lessons learned from any near misses or actual incidents of data leakage or unauthorized disclosures (breaches to PHI)
HIMSS Mobile Security Toolkit http://www.himss.org/library/healthcare-privacy-security/mobile-security-toolkit?navItemNumber=13512 The HIMSS mHealth Roadmap http://www.himss.org/mobilehealthit/roadmap HIMSS Privacy & Security Toolkit http://www.himss.org/library/healthcare-privacy-security/toolkit Department of Health and Human Services Your Mobile Device and Health Information Privacy and Security http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security Healthcare IT News (webinars and white papers) http://www.healthcareitnews.com
Questions
Thank You