Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/23/2013
01:55 PM
Paul Cerrato
Paul Cerrato
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Is Mobile Device Management The Answer?

MDM software is being considered by healthcare IT execs concerned about security.

InformationWeek Green - Jan. 28, 2013
InformationWeek Green
Download the entire February 2013 issue of InformationWeek Healthcare, distributed in an all-digital format as part of our Green Initiative
(Registration required.)


Of all the issues that keep health IT managers awake at night, it's hard to find one more vexing than mobile device management. A recent survey of healthcare providers makes the angst obvious.

Security and management concerns are top of mind for many healthcare organizations, according to a recent KLAS report. In the study, "Mobile Healthcare Applications: Can Enterprise Vendors Keep Up?" 105 respondents, most of them C-level executives, said that securing personal devices via MDM software is one of their top concerns.

When the execs were asked what their organizations are looking to do to secure personal devices used at work, their No. 1 response was data encryption. MDM was No. 2, which is promising, says Eric Westerlind, the report's author.

"[Providers] are concerned with making sure tablets are secure, and it's difficult because it's a personal device," Westerlind says. "Whatever they install can't be too intrusive, and sometimes that can be an issue with MDM. But when you're dealing with patient information, anything that contains data covered by HIPAA needs to be secured, and those devices need to be able to be wiped clean."

Devices More Secure

Ken Kleinberg, a health IT consultant with the Advisory Board, points out that the operating systems of mobile devices have more robust security features than the legacy Windows systems found in hospitals. But he emphasizes that hospitals need to implement strong bring-your-own-device security policies, including mobile application management tools. "It's not just that you're going to control the configuration on the device. You're also going to control what application can be loaded on that device," Kleinberg says.

A hospital's IT organization can give doctors a list of the applications it has vetted, he notes. If a doctor wants to use a document reader, for instance, the hospital might suggest one. If he wants to use a dosing calculator, it might suggest three apps and make them available on its application server.

 Beth Israel Deaconess Medical Center CIO, Dr. John Halamka
Halamka enforces security policies via Exchange ActiveSync

The Policy Approach

During interviews with several IT pros, it became obvious that when it comes to MDM, one size doesn't fit all. For instance, rather than choose an MDM product, Beth Israel Deaconess Medical Center has for now "settled on enforcing tight security policies through Exchange ActiveSync," says BIDMC's CIO, Dr. John Halamka.

"It is highly likely we are capturing most, if not all, BYODs that access BIDMC resources, as email is by far the most frequently used application," Halamka says. "We really don't have other applications that have been customized to run on smartphones and tablets. Our applications are native to the Web, so the ability to install and manage mobile applications is not something we've encountered as a problem yet."

For those healthcare providers that do require native mobile apps for their physicians, several vendors offer MDM platforms to address security threats.

Bob DeLisa, president of Cooperative Systems, a Connecticut-based IT support and consulting firm, offers some advice on choosing an MDM system. He tells clients to base their decision "on the age and scalability of your current infrastructure." Consider Meraki, for instance, when you're doing an infrastructure upgrade, DeLisa says, and consider server-based products such as those from Good Technology, MobileIron and BoxTone if you've recently upgraded.

He also sees promise in cloud-based MDM products, "mostly because the medical practice will be able to keep up with technology in a proactive manner. " DeLisa notes that the easiest system to administer is usually the most cost-effective. And with so many vendors, "the seesaw battle for features among the top players will be secondary to implementation, training and support," he says.

Some hospitals and practices prefer to custom build their BYOD system, but those that want to go with an MDM product must consider a long list of technical issues:

Our full report on how mobility and BYOD are changing healthcare is free with registration.
This report includes 14 pages of action-oriented analysis. What you'll find:
  • How the "FDA effect" hinders chronic disease apps
  • The types of tablets that doctors are using
Get This And All Our Reports

>> Which mobile operating systems do we need to support?

>> Do we plan to host the MDM system on our network?

>> Which email system do our clinicians use, and will it be compatible with the MDM tool?

>> Will the MDM software enable us to remain HIPAA-compliant?

>> What are the software's lock and wipe capabilities?

>> Will we use the MDM tool to push out other applications that clinicians insist on using to manage patients?

Most of these questions are outlined in the Avema Critical Wireless Buyer's Guide, which Halamka mentioned in a recent email exchange.

George Brenckle, CIO at UMass Memorial Healthcare in Worchester, Mass., takes a different approach to BYOD. He prefers to focus on managing data rather than devices, one reason UMass has switched to a virtual desktop approach. With all of its sensitive patient data on hospital servers, there's no risk of breaches from stolen or lost iPads and laptops.

What about commercial MDM products? Brenckle says the challenge is keeping one step ahead of the rapidly changing mobile device ecosystem. "So you invest in one of these MDM tools and it's working well, and suddenly a new tablet or smartphone comes on the market that the tool isn't equipped to manage," he says.

BYOD isn't going away, because clinicians are in love with their devices. Those devices help them provide better patient care and may even have saved lives. Once you find the right management solution, it will save you some sleepless nights as well.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.