Consumerization of IT: Mobile Infrastructure, Support and Security
-
Upload
marie-michelle-strah-phd -
Category
Technology
-
view
1.494 -
download
1
description
Transcript of Consumerization of IT: Mobile Infrastructure, Support and Security
Healthcare Information Transformation #HIT12 | 4/3/2012 | Jacksonville, FL
Managing and Securing Mobile Devices
Marie-Michelle Strah, PhD
Introductions
Marie-Michelle Strah, PhD
Federal Program Manager
Applied Information Sciences
Ideas @ AIS: http://ideas.appliedis.com/
Twitter: @cyberslate
Blog: http://lifeincapslock.com
Linkedin: http://www.linkedin.com/in/drstrah
Workshop Goals
• Building productivity
• Reducing risk
• Mobile device encryption
• Access control
• Policy vs. technical controls
• MDM technologies – maturity?
• Unexpected expenses of data protection
Source: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-
it-95-of-in.php
Agenda
• Conceptualizing “mobile health” –
business cases for IT infrastructure
management
• GRC – governance, risk and compliance in
a CoIT framework
• Best practices for CoIT in healthcare
• Security Risk Analysis
• PTA/PIA
• Stakeholders
• Policy vs. technical controls
• Lessons learned | Considerations for the
enterprise
Introduction: #mhealth Summit 2011
• Mobile is enabler…
• Patients
• Providers
• “Wellness lifecycle”
• Productivity
• From “there’s an app for that” to enterprise
information management lifecycle
• Content delivery
• Cloud and thin client Source: http://healthpopuli.com/2011/02/15/success-factor-for-mobile-health-mash-up-
the-development-team/
The Challenge
Employees Contractors Partners
InfoSec IT Ops Legal
• There is no endpoint
• There is no perimeter
• Users own the data
• No one owns the risk
• Security doesn’t have control
• IT Ops own the databases
• IT Ops own the servers
• IT Ops own the apps
GRC for Healthcare
• Governance – organizational and IT
• Risk – management and mitigation
• Compliance – HITECH/Meaningful Use
• BYOx/CoIT *must* be part of overall GRC
strategy
• Security Risk Analysis
• PTA/PIA
• Stakeholders – CPGs, workflow,
training
• Policy vs. technical controls
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)
Equals People (all actors and agents)
Times Architecture (technical, physical and
administrative)
Enterprise Security Model
Mobile Device Roundtable
Washington, DC
3/16/2012
http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3816
Healthcare Information Transformation
Reactive
Posture
Device-
(or
hardware)
centric
model
Data-
centric
model
MD
M
Master Data
Management EIM
Enterprise
Information
Management MD
M2
Then…
Master
Device
Management
Minimum Technical Requirements
Encryption of
Data at Rest
Encryption of
Data in Motion
Two Factor
Authentication
• Policy
• Wireless
• Data segmentation (on premise, cloud,
metadata)
• Customer support (heterogeneity)
• Infection control
• MSIRT
• Vendor evaluation (the myth of the
“HIPAA Good Housekeeping Seal”)
• Applications: APM and ALM
• Infrastructure
• Costs
HIPAA Security Rule: Remote Use
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
Best Practices: Datacentric Model
1. This is NOT an IT problem
2. Privacy Impact Assessment: PHI, ePHI, PII
(Compartmentalization and segregation)
3. Security Risk Analysis
4. MSIRT (policy and training)
5. Look to stakeholders for domain expertise in
clinical workflows
6. Datacentricity: Use connected health framework
reference (SOA) model
7. Governance, governance, governance
Lessons Learned: Risk-based Model
1. Define permissible mobile devices
2. Access control policies (time/geolocation)
3. Manage applications (third party tools/enterprise
app store)
4. Integrate mobile devices onto network
5. Vendor evaluation
6. Costs
Source: http://www.beckershospitalreview.com/healthcare-information-technology/4-best-
practices-for-hospitals-managing-mobile-devices.html
Finally… consider issuing agency or organization
owned devices
THANK YOU!
Marie-Michelle Strah, PhD
Federal Program Manager
Applied Information Sciences
Ideas @ AIS: http://ideas.appliedis.com/
Twitter: @cyberslate
Blog: http://lifeincapslock.com
Linkedin: http://www.linkedin.com/in/drstrah