Monday, October 3, 2011

Bring Your Own Device

At BIDMC, I oversee 10,600 desktops and 2000 laptops.  They are all locked down with System Center Configuration Manager 2007 and McAfee ePolicy Orchestrator.

Given that most of our applications are thin client and web-based, we can stretch the lifetimes of our desktops to 5-6 years and our laptops to 3-4 years.   Capital funding puts limits on how much hardware we can buy and how long we keep it.

Like many IT departments, we have to balance many priorities - security, cost, software compatibility, performance and the user experience.

This balance means that the locked down, image managed, economical device provided by the IT department will almost always be older, lower powered, and less capable than the device in your home.

The same is true of mobile devices like Blackberries which are a one time purchase and are only replaced when they stop functioning.

Consumer devices are more than just technology, they've become lifestyle accessories.  Are you an iPad2 or a Macbook Air 11 person?   Does Android tickle your fancy or are you holding out for the Samsung tablet with Windows 8?

The cost of these devices is low enough that consumers can buy them on their own and may upgrade yearly as new models are released.

All of this has led to the BYOD movement - Bring Your Own Device to work.

One of my passions as a CIO has been to create web-based applications that run anywhere on anything.    That approach has enabled our applications to run on every version of the iPad, iPhone and iPod touch as well as Android and Blackberry devices like the Playbook.

However, I'm also accountable for the privacy and security of each byte of person identified data and we have over 1.5 petabytes to protect.

The internet is an increasingly hostile place.   Clicking on a picture of Heidi Klum results in a 1 in 10 chance that your device will become infected.

Online apps distributed via social networks are filled will malware.

Hacked websites can bring malware onto our device.   A CIO at the recent Information Week 500 conference described that hackers inserted malware, which was only one pixel by one pixel, into a public-facing website his lab supported.   All internal users who browsed to the website and did not have the latest version of Adobe Flash were infected.  Once infected, their workstations scanned for other vulnerabilities on the network.

Breach reporting regulations in HITECH are strict.   If a keystroke logger embedded in malware results in username/password compromise and a hacker downloads files or views data for more than 500 people, the prominent media needs to be notified.   It is unlikely that the media will see much difference between an infected personal device and something under the CIO's control - the CIO will be held accountable!

BIDMC has over 1000 iPads and over 1600 iPhones accessing its network for email and web applications.   I absolutely see the value of the Bring Your Own Device movement.

However, the compliance and regulatory requirements that grow more complex every day make the BYOD movement very problematic.

It may be that we'll find some compromise, such as encouraging BYOD, noting that little support will be available, and requiring mobile device security solutions such as Good Technologies before a personal device is allowed on the network.

BYOD can be empowering to users.  Let's hope we can mitigate the risk and afford the applications needed to comply with federal and state laws.


David Bernick said...

Hm. I was hoping for a picture of Ms. Klum.

I ran the IT at an e-discovery company for years. We handled stuff that needed to be very secure (and often had regulatory policy to comply with).

My policy was this: computers that handled our "secure" data were very locked down -- even at the physical level and network level. Very controlled access policies. We then allowed any user to bring in any wi-fi enabled device to access the Internet in a totally unrestricted manner (though there were certain verbally encouraged security policies with those devices).

We kept our "secure" data separate from our "not-secure" data.

This worked out great for us and there were few complaints.

We also provided a "build your own insecure device" in an insecure cloud that people could RDP or VNC to if they wanted to use their locked-down workstation to access insecure stuff.

Jonathan Merrill said...

So... BYOD is ok in your hospitals? I wasn't sure based on your posting.

I think your exactly right, BYOD is a very slippery slope. However, most hospitals are getting incredible pressure from physicians to allow it. Security seems to either be the rock to hind behind or the stone to throw...

Unfortunately, BYOD will only get the necessary attention once a breach occurs and by then... it's too late.

John Halamka said...

We have over 1000 iPads and 1600 iPhones which connect to the BIDMC network on a daily basis. We require encryption/password protection by policy at this point.

Anonymous said...

While the security aspects of BYOD get the headlines, legal issues should also get attention. A user's personal device which holds PHI or other sensitive data may be the object of discovery in litigation -- and may be impounded. Users should be asked how they would react to the potential for indefinite loss of their device before allowing them to access sensitive data or systems.