Consumerization of IT: Mobile Infrastructure, Support and Security
18
Healthcare Information Transformation #HIT12 | 4/3/2012 | Jacksonville, FL Managing and Securing Mobile Devices Marie-Michelle Strah, PhD
-
Upload
marie-michelle-strah-phd -
Category
Technology
-
view
1.494 -
download
1
description
aFrom half day workshop on Mobile Device Security with Chris Seper and Kirk Larson at Healthcare Information Transformation #HIT12 April 3, 2012 in Jacksonville, FL.
Transcript of Consumerization of IT: Mobile Infrastructure, Support and Security
Healthcare Information Transformation #HIT12 | 4/3/2012 | Jacksonville, FL
Managing and Securing Mobile Devices
Marie-Michelle Strah, PhD
Introductions
Marie-Michelle Strah, PhD
Federal Program Manager
Applied Information Sciences
Ideas @ AIS: http://ideas.appliedis.com/
Twitter: @cyberslate
Blog: http://lifeincapslock.com
Linkedin: http://www.linkedin.com/in/drstrah
Workshop Goals
• Building productivity
• Reducing risk
• Mobile device encryption
• Access control
• Policy vs. technical controls
• MDM technologies – maturity?
• Unexpected expenses of data protection
Source: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-
it-95-of-in.php
Agenda
• Conceptualizing “mobile health” –
business cases for IT infrastructure
management
• GRC – governance, risk and compliance in
a CoIT framework
• Best practices for CoIT in healthcare
• Security Risk Analysis
• PTA/PIA
• Stakeholders
• Policy vs. technical controls
• Lessons learned | Considerations for the
enterprise
Introduction: #mhealth Summit 2011
• Mobile is enabler…
• Patients
• Providers
• “Wellness lifecycle”
• Productivity
• From “there’s an app for that” to enterprise
information management lifecycle
• Content delivery
• Cloud and thin client Source: http://healthpopuli.com/2011/02/15/success-factor-for-mobile-health-mash-up-
the-development-team/
Conceptualizing “mobile health”
The Ideal
Employees Contractors Partners
InfoSec IT Ops Legal
Need to manage Need to know
The Reality
Employees Contractors Partners
InfoSec
IT Ops
Legal
Know
Manage
The Challenge
Employees Contractors Partners
InfoSec IT Ops Legal
• There is no endpoint
• There is no perimeter
• Users own the data
• No one owns the risk
• Security doesn’t have control
• IT Ops own the databases
• IT Ops own the servers
• IT Ops own the apps
GRC for Healthcare
• Governance – organizational and IT
• Risk – management and mitigation
• Compliance – HITECH/Meaningful Use
• BYOx/CoIT *must* be part of overall GRC
strategy
• Security Risk Analysis
• PTA/PIA
• Stakeholders – CPGs, workflow,
training
• Policy vs. technical controls
𝑺 = (𝑷𝒙 ∗ 𝑨𝒚) Information Security (Collaborative Model)
Equals People (all actors and agents)
Times Architecture (technical, physical and
administrative)
Enterprise Security Model
Complexity = Higher Risks and Costs
Mobile Device Roundtable
Washington, DC
3/16/2012
http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3816
Healthcare Information Transformation
Reactive
Posture
Device-
(or
hardware)
centric
model
Data-
centric
model
MD
M
Master Data
Management EIM
Enterprise
Information
Management MD
M2
Then…
Master
Device
Management
Minimum Technical Requirements
Encryption of
Data at Rest
Encryption of
Data in Motion
Two Factor
Authentication
• Policy
• Wireless
• Data segmentation (on premise, cloud,
metadata)
• Customer support (heterogeneity)
• Infection control
• MSIRT
• Vendor evaluation (the myth of the
“HIPAA Good Housekeeping Seal”)
• Applications: APM and ALM
• Infrastructure
• Costs
HIPAA Security Rule: Remote Use
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
Best Practices: Datacentric Model
1. This is NOT an IT problem
2. Privacy Impact Assessment: PHI, ePHI, PII
(Compartmentalization and segregation)
3. Security Risk Analysis
4. MSIRT (policy and training)
5. Look to stakeholders for domain expertise in
clinical workflows
6. Datacentricity: Use connected health framework
reference (SOA) model
7. Governance, governance, governance
Lessons Learned: Risk-based Model
1. Define permissible mobile devices
2. Access control policies (time/geolocation)
3. Manage applications (third party tools/enterprise
app store)
4. Integrate mobile devices onto network
5. Vendor evaluation
6. Costs
Source: http://www.beckershospitalreview.com/healthcare-information-technology/4-best-
practices-for-hospitals-managing-mobile-devices.html
Finally… consider issuing agency or organization
owned devices
THANK YOU!
Marie-Michelle Strah, PhD
Federal Program Manager
Applied Information Sciences
Ideas @ AIS: http://ideas.appliedis.com/
Twitter: @cyberslate
Blog: http://lifeincapslock.com
Linkedin: http://www.linkedin.com/in/drstrah
