Tuesday, July 10, 2012

The BIDMC Mobile Device Security Initiative

For several years BIDMC has had an administrative policy requiring special security safeguards for mobile computing devices that connect to the data network.   Many of these devices are locally administered or personally owned.   Given state and federal regulatory changes, increased use of consumer devices to access/store data, and increased visibility of privacy related incidents, we believe that policy alone is inadequate to assure mobile devices have proper security safeguards.

As part of our Summer of Compliance activities, we are taking active technology and process steps to enhance mobile device security.

Here's an excerpt of what we'll be sending to all staff:

"Below are minimum requirements for mobile devices connecting to the BIDMC network.   Rather than rely on policy alone, we will be installing these configurations on devices connecting to our data network.   We have already begun phasing in some of these such as passwords on devices using Exchange Activesync and will continue until all mobile devices connecting to the BIDMC network are compliant.  

Password protection – The device must require a password or equivalent security feature before it can be accessed.  

Timeout – The device must be set to timeout and require re-entry of the password if not used for over 15 minutes.

Anti-Malware Protection – Laptops must have an up-to-date anti-virus software application installed.   The device’s operating system and third party applications such as Adobe, Microsoft Office, Java, and others must be properly patched.  

Unnecessary Software and Services – Wireless interfaces and applications such as Bluetooth must be disabled when not needed.   [

Encryption – The data must be encrypted.   Massachusetts law requires this if the device contains information protected under the State’s data privacy regulations.   HIPAA provides safe harbor if the entire storage disk is encrypted and there is a pre-boot authentication.     In a communication next week, I'll outline our aggressive mobile device encryption program.

Custody – The mobile device should be kept in your possession when traveling or in an uncontrolled environment such as a hotel room.   Prevent unauthorized persons from accessing sensitive content stored on the device or using it to access the BIDMC network.

Backup Protection – Protected health information or other confidential BIDMC data should ONLY be backed up using BIDMC data storage resources, e.g. your home directory.   Using public Internet cloud storage services to backup BIDMC sensitive information is prohibited.  "

I welcome feedback on your experience implementing such policies and technologies.   It's clear to me that healthcare organizations have no choice but to reduce personal choice and personal freedom in order to keep our patient data safe.


ckoerner said...

It will be interesting to see, in a moderate span of time, how these technological changes impact the security of your information. Will you be tracking occurrences of noncompliance and compare that to the past? At some point in the future will this initiative be reviewed to check it's effectiveness?

My theory is that it will do little to actually decrease occurrences of security breaches. This sounds like a giant round-robin. Government organizations and security folks want to keep themselves feeling important and leadership within healthcare organizations have to do something! So the result is a bunch of policies, limitations and rules.

"It's clear to me that healthcare organizations have no choice but to reduce personal choice and personal freedom in order to keep our patient data safe."

This reads to me as, "Adults aren't really adults, but children. It's too difficult to communicate the importance of being responsible and hold people accountable, so we're just going to give up and take care of it for them."

"The true measure of a man (or an organization) is not how he behaves in moments of comfort and convenience but how he stands at times of controversy and challenges.”

Leaks are going to happen. In such a hyper connected world it gets spread around faster than ever. It's how the organization responds to these that matters, not what internal rules they can point to.

Jim Thompson MD said...

The frustration of this approach is having to touch and police every device, including those "personally owned." It's unfortunate how protecting privacy and security balloons staffing and resource needs. One alternative is to use all mobile devices as passive displays for data that is always stored elsewhere and only displayed realtime as it is needed. While this mandates constant connectivity, surely making mobile devices passive displays is less of a problem than having PHI stored locally on mobile devices.

CON said...

How will the mobile systems be audited and tracked for compliance. Another interesting thought is that mobile devices can contain harddrives and removable media, does that mean now that the device itself will need to be monitored for misuse of mobile storage devices...

As a cyber security and malware analyst, I always want to enable users the ability to do their job, but I want to minimize risk, I never state that there is a 100% solution, but as long as risk is recognized and understood then lets figure out a way to allow these devices for additional productivity.

Anonymous said...

The issue of protecting sensitive information goes further than just device management and policy. It also requires that we look at the application architecture itself. If the goal is to limit the amount of sensitive data that persists on a mobile device (such as HIPAA compliant patient data), then a web/html5 app should be considered as a way to limit access and data on the device to what is necessary to complete a given task. However, html5 apps, while improving all of the time, can still not access all of the native device features (sensors, location, gestures) which may be needed for a given use case. Also, even though html5 provides some level of offline caching (5MB for most browsers), this may not be sufficient where network connectivity is weak/intermittent. In both these cases, native or hybrid apps may be required, in which case policy containers that control the application on the end-users device (such as Mocana or Good Dynamics), should be seriously considered in addition to good practices around encryption for data stored on the device. The container approach allows the end-user to use their personal device freely without the risk of compromising the app carrying sensitive data.

Alan said...

You may want to check out NIST Special Publication 800-124, Guidelines for Managing and
Securing Mobile Devices in
the Enterprise (Rev 1 Draft)/ This was released in early July.

That document references specific controls in other NIST documents, most notably NIST SP800-53 rev 3. I would actually look at the current draft SP800-53 rev 4, which includes updates to more adequately address mobile security.