It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
-
Upload
marie-michelle-strah-phd -
Category
Documents
-
view
987 -
download
7
description
Transcript of It's About the Data, Stupid: Mobile Security and BYOD for Healthcare
www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020
It's About the Data, Stupid! Real World Mobile Security
www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020
Speakers Marie-Michelle Strah, Ph.D., Founder of Phydian Systems
Marie-Michelle Strah, Ph.D., is a healthcare enterprise architect in the Washington D.C. area specializing in strategy, information architecture, information security and data architecture for federal and commercial clients. She is the founder of Phydian Systems LLC and an adjunct professor of Healthcare Information Technology at Catholic University of America. She brings more than 15 years of experience in enterprise architecture, healthcare, information technology management, and research and development internationally.
April Sage, Marketing Director, Online Tech
April Sage has been involved in the IT industry for over two decades, starting in the pre-Windows era as the founder of an IT school teaching DOS, WordPerfect, and FoxPro. In the early 2000s, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems. Since then, April has been involved in the development and implementation of online business plans and marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Marketing Director of Online Tech.
GOALS OF ENTERPRISE
MOBILITY
• Building productivity
• Reducing risk
• Mobile device encryption
• Access control
• Policy vs. technical controls
• MDM technologies – maturity?
• Unexpected expenses of data protection
Source: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-it-95-of-in.php
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 3
CO
NC
EPTU
ALIZ
ING “M
OBILE H
EA
LTH”
Enterprise Mobility and Consumerization of IT
10/2/2012
All content (c) 2012 Phydian Systems LLC. All rights reserved. 4
TW
EETIN
G E
NTER
PR
ISE M
OBILIT
Y It’s NOT about the device…
10/2/2012
All content (c) 2012 Phydian Systems LLC. All rights reserved. 5
CO
NC
EPTU
ALIZ
ING “M
OBILE H
EA
LTH”
mHealth: Mobile is enabler…
Mobile is enabler…
• Patients
• Providers
• “Wellness lifecycle”
• Productivity
From “there’s an app for that” to
enterprise information management
lifecycle
• Content delivery
• Cloud and thin client
Source: http://healthpopuli.com/2011/02/15/success-factor-for-
mobile-health-mash-up-the-development-team/
10/2/2012
All content (c) 2012 Phydian Systems LLC. All rights reserved. 6
MOBILE HEALTH: PRIVACY AND SECURITY RISKS… BEYOND COMPLIANCE
Mobile Health can both: • Increase risk
• Reduce risk
• Practice size affects risk profile
Key is: • Planning
• Business Case Analyses
• Master Data Management
Sources:
http://www.govinfosecurity.com/interviews/onc-plans-mobile-security-guidance-i-1629
http://pinterest.com/pin/123849058473938431/
54% of 464 HIPAA breaches affecting 500 or more individuals from 9/2001 to July 2012 involved loss or theft of unencrypted mobile devices
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 7
FIRST QUESTION: WHY BYOD?
• Conceptualizing “mobile health” – business cases for IT infrastructure
management
• GRC – governance, risk and compliance in a CoIT framework
• Best practices for CoIT in healthcare
• Security Risk Analysis
• PTA/PIA
• Stakeholders
• Policy vs. technical controls
• Lessons learned | Considerations for the enterprise
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 8
BU
SINESS C
ASE A
NA
LYSIS - BYO
D
TCO (Total Cost of Ownership)
Why BYOD? Is it actually cheaper? Are you simply shifting costs? • License and account
management (telecom) • Responsive design:
Testing/QA/Usability • Enforcement: Policies,
standards, training • Realigning enterprise
architecture for BYOD mobile environment
• Scaleability
10/2/2012
All content (c) 2012 Phydian Systems LLC. All rights reserved. 9
TH
E IDEA
L
Employees Contractors Partners
InfoSec IT Ops Legal
Need to manage Need to know
Managing human factors in mobile data
management
TH
E REA
LITY
Employees Contractors Partners
InfoSec
IT Ops
Legal
Know
Manage
Managing human factors in mobile data
management
TH
E CH
ALLEN
GE
Employees Contractors Partners
InfoSec IT Ops Legal
• There is no endpoint
• There is no perimeter
• Users own the data
• No one owns the risk
• Security doesn’t have control
• IT Ops own the databases
• IT Ops own the servers
• IT Ops own the apps
Adopting Governance and Risk Based Model to
BYOD
GRC FOR HEALTHCARE
• BYOx/CoIT *must* be part of overall GRC strategy
• Security Risk Analysis
• PTA/PIA
• Stakeholders – CPGs, workflow, training
• Policy vs. technical controls
• Governance – organizational and IT
• Risk – management and mitigation
• Compliance – HITECH/Meaningful Use/42 CFR
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 13
HIG
H LEV
EL REFER
ENC
E AR
CH
ITECTU
RE M
OB
ILE HEA
LTH
Source: http://www.mobilehealthlive.org/publications/discussion-papers/a-high-level-reference-architecture-for-mobile-health/20460/
10/2/2012
All content (c) 2012 Phydian Systems LLC. All rights reserved. 14
MA
STER DA
TA HU
B AN
D EXA
MP
LES Case Studies
VA looks to establish BYOD mobile device management protocols
(www.mhimss.org)
• MDM software
• Systems, network, apps supported by VA
• No jailbroken devices
• Wiping personal devices if compromised
• Rules of behavior required if storing VA data
• Personal device can be brought under VA control if needed
So it’s about the
data, and… … the device, but
not “just” about the
device
10/2/2012
All content (c) 2012 Phydian Systems LLC. All rights reserved. 15
HEA
LTHC
AR
E INFO
RM
ATIO
N T
RA
NSFO
RM
ATIO
N
Reactive
Posture
Device-
(or
hardware)
centric
model
Data-
centric
model
MD
M
Master Data
Management EIM
Enterprise
Information
Management MD
M2
Then…
Master
Device
Management
MIN
IMU
M T
EC
HN
ICA
L REQ
UIR
EM
EN
TS
Encryption of
Data at Rest
Encryption of
Data in Motion
Two Factor
Authentication
• Policy
• Wireless
• Data segmentation (on premise, cloud,
metadata)
• Customer support (heterogeneity)
• Infection control
• MSIRT
• Vendor evaluation (the myth of the
“HIPAA Good Housekeeping Seal”)
• Applications: APM and ALM
• Infrastructure
• Costs
HIPAA Security Rule: Remote Use
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
QUESTIONS?
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 18
www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020
Upcoming Events SecureWorld Expo
Detroit, MI, October 3rd & 4th
Midwest HIMSS Des Moines, IA, November 11th-13th
mHealth Summit Washington, DC, December 3rd-5th
HIMSS 2013 New Orleans, March 3rd-7th 2013, Booth # 1369
Marie-Michelle Strah
@cyberslate
http://www.linkedin.com/in/drstrah
www.phydiansystems.com
April Sage
www.onlinetech.com
Main: 734-213-2020
Contact Info