Tuesday, May 22, 2012

The Challenge of Encrypting BYOD Devices

As we continue the journey to protect corporate data that is accessed from personal mobile devices, we're developing increasingly rigorous policies that  rebalance individual preferences with corporate compliance requirements.

Requiring a non-trivial password and a timeout is supported by all Windows, Android, and iOS phones.   Using Microsoft Active Sync, we can push settings to phones, enforcing corporate policies.

Central management of personal phone encryption is much more problematic.

I've spoken to my peer CIOs in Massachusetts and we all have policies requiring encryption of mobile devices that access hospital information systems.

Massachusetts requires that any mobile device containing "personal information" be encrypted:

"Under the law, personal information to be protected includes a Massachusetts resident’s name (either first and last name or first initial and last name) combined with a complete social security number, driver’s license, or other state-issued number, a financial account number or a complete credit card or bank account number."

However, no local CIO has tried to push encryption settings to personal devices.

Why?

We've tested encryption on several smartphones and found that it lacks robustness - we've had performance issues and data corruption issues.

Many phones do not support pushed settings to encrypt the device.   Some devices, such as any iPhone older than the iPhone 3, do not support encryption at all.    Here's an overview of the heterogeneity.

Similarly, no local CIO has implemented automated remote wipe of personal devices for a certain number of failed password attempts.   At present, smartphones have no capability to selectively wipe corporate data, leaving personal data intact.  Although there are mobile device management (MDM) solutions that require loading software on personal devices, they are expensive and challenging to support.

Thus, the best practice in the hospitals of Massachusetts as of mid-2012 seems to be pushing password/timeout settings, avoiding remote wiping, and requiring encryption by policy rather than a forcing technology.

What about laptops?

Everyone in healthcare wants laptops encrypted because encryption provides a "safe harbor".  If you lose one that contains protected healthcare information , you don't have to go through the full breach disclosure.

There are three generations of laptop encryption strategies

a. Full Disk Encryption (FDE) requiring an application such as McAfee's SafeBoot

b. Native Operating support  for encryption such as Microsoft's BitLocker in Windows 7 and Apple's native encryption in Lion.

c.  Self-encrypting drives with enterprise management software such as Safend Endpoint Security.  The encryption is part of the hardware when the device is procured.

We currently use FDE for Windows XP and native operating system support for Windows 7 and iOS.  We're studying management tools that support self-encrypting drives.

The issue of encrypting smartphones and laptops is a very high priority for hospital compliance and risk committees.   The policies are clear, but the technology to support those policies is still in evolution.

The burden on IT departments to purchase and support mobile device security tools is significant.

Self encrypting drive approaches hold promise because they are operating system neutral and require little support.

We will continue to enhance  our abilities to centrally manage encryption of mobile devices.   Like many security issues, the management of personal device encryption is a journey.

6 comments:

Kevin Groff said...

I am curious about the number of data points and institutions telling you that MDM solutions are difficult to support? That is your best option imo, and yes. AV, IPS, IDS, and all security is expensive. Once balanced against the penalty/consequences/risk, it is probably worth it. It sounds like you think installing software on the device is a negative when I believe that is a positive to isolate the personal from the business. Your team is ahead of the curve and on the cutting edge in almost every other IT area. I am puzzled by your pushback on MDM solutions.

Anonymous said...

Pushing settings, remote wiping, easy centralized mgmt... it's what keeps Blackberry going. No BYOD policies at those corporate entitites, though. I guess freedom has a price.

Anonymous said...

We use Touchdown for corporate email and calendars on Android and iOS devices. It supports all the policies you listed and keeps the information separate from owners' personal information on the device. So, for example, a simple swipe may still be all that's necessary to unlock the phone and personal email, but the corporate email remains locked until a PIN is entered.

The Traveler said...

I have been looking at Good (www.good.com) and TouchDown (www.nitrodesk.com). Both appear to have a proprietary client and do not use the native email. Are there any drawbacks to this? For example, are you able to manage downloaded mail offline (at least until planes get wifi consistently)? For me, it seems separating the corporate email from the private email might have advantages.

Harry Sanborn said...

We're taking the MDM route. Devices deployed by the hospital support encryption and remote wipe, if you want to use a personal device, it must support that as well. Part of using your personal device to access company resources means you accept the risk and responsibility and possibility that you may have your personal data wiped along with protected data.

Anonymous said...

What mobile device platforms are you supporting? Curious given the HIPAA/HITECH requirements and the variance among smartphone platforms.