tag:blogger.com,1999:blog-4384692836709903146.post6591391869293207737..comments2024-03-27T09:55:23.143-07:00Comments on Dispatch from the Digital Health Frontier: The BIDMC Mobile Device Security InitiativeJohn Halamkahttp://www.blogger.com/profile/04550236129132159307noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4384692836709903146.post-82935014284113469612012-07-18T08:03:30.147-07:002012-07-18T08:03:30.147-07:00You may want to check out NIST Special Publication...You may want to check out NIST Special Publication 800-124, Guidelines for Managing and <br />Securing Mobile Devices in <br />the Enterprise (Rev 1 Draft)/ This was released in early July. <br />http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf<br /><br />That document references specific controls in other NIST documents, most notably NIST SP800-53 rev 3. I would actually look at the current draft SP800-53 rev 4, which includes updates to more adequately address mobile security.Alannoreply@blogger.comtag:blogger.com,1999:blog-4384692836709903146.post-15167176523304822982012-07-13T14:38:38.838-07:002012-07-13T14:38:38.838-07:00The issue of protecting sensitive information goes...The issue of protecting sensitive information goes further than just device management and policy. It also requires that we look at the application architecture itself. If the goal is to limit the amount of sensitive data that persists on a mobile device (such as HIPAA compliant patient data), then a web/html5 app should be considered as a way to limit access and data on the device to what is necessary to complete a given task. However, html5 apps, while improving all of the time, can still not access all of the native device features (sensors, location, gestures) which may be needed for a given use case. Also, even though html5 provides some level of offline caching (5MB for most browsers), this may not be sufficient where network connectivity is weak/intermittent. In both these cases, native or hybrid apps may be required, in which case policy containers that control the application on the end-users device (such as Mocana or Good Dynamics), should be seriously considered in addition to good practices around encryption for data stored on the device. The container approach allows the end-user to use their personal device freely without the risk of compromising the app carrying sensitive data.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4384692836709903146.post-66444538117398633992012-07-12T14:20:57.275-07:002012-07-12T14:20:57.275-07:00How will the mobile systems be audited and tracked...How will the mobile systems be audited and tracked for compliance. Another interesting thought is that mobile devices can contain harddrives and removable media, does that mean now that the device itself will need to be monitored for misuse of mobile storage devices...<br /><br />As a cyber security and malware analyst, I always want to enable users the ability to do their job, but I want to minimize risk, I never state that there is a 100% solution, but as long as risk is recognized and understood then lets figure out a way to allow these devices for additional productivity.CONhttps://www.blogger.com/profile/17967276483977837797noreply@blogger.comtag:blogger.com,1999:blog-4384692836709903146.post-78190849313214660842012-07-12T10:04:54.833-07:002012-07-12T10:04:54.833-07:00The frustration of this approach is having to touc...The frustration of this approach is having to touch and police every device, including those "personally owned." It's unfortunate how protecting privacy and security balloons staffing and resource needs. One alternative is to use all mobile devices as passive displays for data that is always stored elsewhere and only displayed realtime as it is needed. While this mandates constant connectivity, surely making mobile devices passive displays is less of a problem than having PHI stored locally on mobile devices.Jim Thompson MDhttps://www.blogger.com/profile/04062449988982953402noreply@blogger.comtag:blogger.com,1999:blog-4384692836709903146.post-64842387082338257222012-07-12T08:36:43.679-07:002012-07-12T08:36:43.679-07:00It will be interesting to see, in a moderate span ...It will be interesting to see, in a moderate span of time, how these technological changes impact the security of your information. Will you be tracking occurrences of noncompliance and compare that to the past? At some point in the future will this initiative be reviewed to check it's effectiveness?<br /><br />My theory is that it will do little to actually decrease occurrences of security breaches. This sounds like a giant round-robin. Government organizations and security folks want to keep themselves feeling important and leadership within healthcare organizations have to do <i>something</i>! So the result is a bunch of policies, limitations and rules.<br /><br />"It's clear to me that healthcare organizations have no choice but to reduce personal choice and personal freedom in order to keep our patient data safe."<br /><br />This reads to me as, "Adults aren't really adults, but children. It's too difficult to communicate the importance of being responsible and hold people accountable, so we're just going to give up and take care of it for them."<br /><br />"The true measure of a man (or an organization) is not how he behaves in moments of comfort and convenience but how he stands at times of controversy and challenges.”<br /><br />Leaks are going to happen. In such a hyper connected world it gets spread around faster than ever. It's how the organization responds to these that matters, not what internal rules they can point to.ckoernerhttps://www.blogger.com/profile/16960095664367477136noreply@blogger.com