Mobile Device Mgmt Healthcare Whitepaper


Published on

Tablets in Health Care

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile Device Mgmt Healthcare Whitepaper

  1. 1. LANDesk White Paper Mobile Device Management for Healthcare Discover, Extend, Secure and Empower
  2. 2. LANDesk White Paper | Mobile Device Management for HealthcareTo the maximum extent permitted under applicable law, LANDesk assumes no liability whatsoever, and disclaims any express or implied warranty, relating to the sale and/or use of LANDesk products including liability or warranties relating to fitness for aparticular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right, without limiting the rights under copyright.LANDesk retains the right to make changes to this document or related product specifications and descriptions, at any time, without notice. LANDesk makes no warranty for the use of this document and assumes no responsibility for any errors that canappear in the document nor does it make a commitment to update the information contained herein. For the most current product information, please visit © 2012, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands andnames may be claimed as the property of others.LSI-1017-EN 02/12 MS/BB/AZUU2
  3. 3. LANDesk White Paper | Mobile Device Management for Healthcare Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Daunting Challenges for Healthcare IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The Solution: Discover, Extend, Secure and Empower . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Policy, Tools and Education. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Mobile Device Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 LANDesk Advantages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
  4. 4. LANDesk White Paper | Mobile Device Management for Healthcare Introduction Daunting Challenges for Healthcare IT Mobile devices have taken off in healthcare organizations, Mobile devices and platforms represent significant challenges where doctors and other medical staff use smart phones and for healthcare IT, however. Regulations such as HIPAA tablets to access everything from email to health reference and HITECH require healthcare organizations to take materials, electronic health records, medical imaging, and responsibility for managing, securing, and protecting patient survey applications. Mobile devices perform a host of confidential patient information and for reporting any medical, technical, and administrative functions, including breaches that take place. The consequences of a breach can be communicating medical information to patients and families. immense, including steep fines and devastating publicity, not Thanks to the freedom and fast information access enabled by to mention the significant costs incurred in understanding wireless communications, tablets have even begun to replace what was breached, who saw the data, risks, and remediation. patient workstations for accessing and entering patient care Unfortunately, without the right kind of guidance and information in IT healthcare applications. management, personal mobile devices can cause absolute A recent survey by Manhattan Research found that 75 chaos when it comes to confidentiality. Challenges include: percent of American physicians own some kind of Apple Asset Lifecycle Management—When users feel free to bring mobile device and 81 percent use some kind of smart their own devices to work, it can be difficult or sometimes phone—Apple or non-Apple—up from 72 percent the impossible to discover, track, and secure them against the previous year.1 Thirty percent of doctors use iPads to access constantly changing threat landscape. EHRs (electronic health records), view radiology images, and communicate with patients. An additional 28 percent plan User Management—IT can’t depend on doctors and staff to to buy an iPad within the next six months, according to use their devices wisely, as many are ignorant of device security, the report. Other studies have found similar results among privacy, and compliance risks, not to mention how to protect nurses and other healthcare employees and have linked use of mobile devices and the information stored on them from mobile devices with job satisfaction. hackers and theft. The benefits of mobile devices in healthcare are significant. Many unwittingly store confidential information on their Healthcare professionals can collaborate and access tablets or smart phones without any encryption or other information wherever and whenever the need arises, rather form of protection, or use them to send and receive email than having to wait to get to a conference room desk phone, and file attachments containing sensitive information. Others PC, workstation, or file cabinet. The result is faster, often use file sharing applications such as DropBox to store and better decisions and more efficient patient care. transmit information or unsecured personal email services that lie outside of the institution’s messaging and security As with business enterprises, healthcare institutions are infrastructure. Users may also take advantage of unsecured undergoing the consumerization of IT. Rather than looking wireless WiFi connections in coffee shops, hotels, and other to IT for mobile devices and connectivity, healthcare environments to transmit information, not knowing that professionals increasingly take their personal iPhones, iPads, hackers regularly frequent these establishments to penetrate and other mobile devices to work and expect to be able to the devices of unwitting users. use them freely in the medical care environment. Corporate- procured Blackberry smart phones and even workstations, Other hazards are caused by users unknowingly downloading laptops, and desktops are giving way to user-owned iPhones malware-laden mobile applications, accessing infected Web and iPads. With more and more medical schools integrating sites, or using text messaging in ways that introduce malware mobile devices into the curriculum as well, it’s likely that into their devices or open doors for hackers to penetrate mobile device use in healthcare environments will continue to devices, networks, and centralized data stores. grow and job choice and satisfaction among younger health professionals will increasingly be tied partially to the use of the Device Loss and Theft—Mobile device loss and theft, latest mobile technology. including those involving laptops, are the single greatest cause of data breaches at large healthcare organizations, far more common than hacking incidents. 1 Taking the Pulse U.S. Annual Market Research Study v11.0, Manhattan Research, May 4, 20114
  5. 5. LANDesk White Paper | Mobile Device Management for Healthcare Platform Complexity—While servers, PCs, and laptops Know your data—What healthcare information must have run on a few longstanding, seasoned operating systems maximum protection? Where is it stored, and how is it familiar to IT, mobile devices run on a variety of newer, accessed? What data needs a medium level of protection? Who less seasoned operating systems, including iOS and should have access to this data and who should not? Android. The newness and openness of Android represents Know your infrastructure and its vulnerabilities—How a particularly thorny security problem for IT, with Android does the organization protect confidential information today? devices under increasing attack in the past several months. Where are the unique vulnerabilities posed by mobile devices The Solution: Discover, Extend, Secure and which of these are the most hazardous? and Empower Know the risks—What are the overall and unique security Unfortunately, simply forbidding or severely restricting mobile risks of each mobile device platform? What are the risks of or personal devices in the work place is not an option for patient information breaches caused by storing user data on healthcare institutions if they seek to hire and retain younger, mobile devices, or by using personal email, public WiFi, or tech-savvy doctors and medical personnel or compete with personal applications? What are the likely threats to your their more technologically advanced cohorts. Not to mention organization’s mobile devices and confidential information? that many employees are likely to bring in their mobile devices If a breach were to happen, what would the likely costs be to anyway and use them as they wish. Simply forbidding these the organization? It’s important to factor in less tangible yet devices makes it impossible to manage and secure them–and genuine costs such as damage to the institution’s reputation or the information they contain. remediation costs of a breach. Instead, the solution for most healthcare organizations today is Policy, Tools, and Education to embrace their employees’ mobile devices and platforms and Once IT has a handle on the use and risks of mobile platforms use the right combination of policy education and effective in the organization, the next step is to craft a strategy for tools to manage, secure, and protect confidential information. mobile platform security and data protection. In order to do so, IT needs to accomplish several tasks: Sometimes the best way to craft a strategy that balances the Know what you have—First, IT must have a clear picture of mobile needs of employees with the compliance, security, and what mobile devices and mobile device platforms are used by data privacy needs of the organization is to form a mobile employees. This can be a difficult task when workers bring in security strategy task force that includes representatives from personal devices for both work and personal use. Most likely IT, affected departments, and legal counsel. IT will need to meet with each department in the organization Most effective mobile device security strategies consist of a to get a feel for what devices are being used. It’s important to combination of policy, education, and tools. strike a positive attitude that lets users know that the goal is to embrace, empower, and secure mobile devices, not restrict Policy them or punish their users. Your mobile security policy should integrate with your overall Know how mobile devices are used—Are employees using organizational security strategy. Organizations should already their mobile devices to access organization email, electronic have policies in place that spell out which employees and medical records, private patient information, patient surveys? employee roles are permitted access to which categories of Are they accessing personal email services, social networks, information and what they are allowed to do with it, including potentially insecure Web sites? Are they storing patient emailing or sharing it digitally in other ways. information on their devices? Are they downloading consumer Your mobile security policy should add policies that spell out: applications? Do they have any awareness of the need for and Which mobile platforms, such as laptops, tablets, and ways to protect confidential patient information on these smart phones, and which operating systems, such as iOS devices? Are they using public WiFi services? and Android, are permitted in the healthcare environment and who is permitted to use 5
  6. 6. LANDesk White Paper | Mobile Device Management for Healthcare Requirements for users to register their mobile devices of device loss and theft, data leakage, and malware, as well as the with IT. data security and privacy requirements and related penalties of What information if any can be stored on employees’ HIPAA, HITECH, and any other relevant regulations. mobile devices and what protections such as passwords, It’s important to demonstrate in a tangible way just encryption, VPNs, backup, etc. need to be implemented how damaging breaches can be by relating stories about to protect this information. organizations that have been breached and the actual Rules for accessing the Web over mobile devices and devastating financial and other impacts of those breaches. downloading and using health and non-health related Keep users aware of breaches that make the news. Make sure applications. Some organizations may want to publish a you repeat education on an ongoing basis and educate new list of approved and unacceptable mobile applications or employees and mobile platform users as soon as possible. even provide their own organization app store where users Users must also be educated at least annually about can download new applications. your organization’s mobile security policies and the user Users should also be put on notice to: responsibilities spelled out by them, as well as any penalties that Always keep mobile devices within their sight. can result from disobeying security policies. If you don’t want users simply tuning out and doing as they please, make sure you Report device loss or theft to appropriate staff balance this education with a positive attitude that recognizes immediately. Mobile device users are known to spend users’ needs and the obvious benefits of mobile platforms. hours or even days trying to locate missing devices before reporting their loss. Mobile Device Management Tools Never share their devices or device passwords with Policies must not only be spelled out, they must be enforced. anyone else. Unfortunately, users tend to do things for the sake of Never connect to the corporate network or transmit convenience that run counter to your organization’s security healthcare information of any type over insecure WiFi policies. That’s why it’s important to put the appropriate tools networks without using virtual private networking or in place to enforce company policies and to discover, manage, other tools that secure data in transit. and secure mobile platforms. Never transmit sensitive information over unsecured The first line of defense in any environment incorporating personal email or data sharing services, either in the form mobile devices and platforms is an enterprise mobile device of text, attachments, or information cut and pasted from management (MDM) solution. MDM systems provide a sensitive documents. host of tools for identifying, managing, and securing mobile Keep Bluetooth out of discovery mode when not in use. platforms of all types and their users. Some of the features of an effective mobile device management platform include: Understand that jailbroken smart phones or tablets will never be allowed in the organization. Discovery—The ability to discover all mobile devices and IT should also have policies for locating and wiping lost or platforms that connect to the corporate network and create stolen mobile devices and protecting mobile devices from a device inventory database that can be used to manage these malware. As with any other IT assets, policies should be in place platforms over their entire lifecycle. The application should for addressing security when employees leave the organization. not permit users to connect their devices to the network or messaging systems until they are approved and properly Education registered with the MDM system. The MDM system should Policy is not very useful if it’s not backed up with an effective be able to easily grandfather existing platforms as well. employee education program. Mobile device users must be Extended Hardware and Software Inventory—including educated in depth about the security challenges posed by mobile memory, batteries, installed applications, policies, and devices in the work environment and proper measures they network information. must take to address them. They should understand the hazards6
  7. 7. LANDesk White Paper | Mobile Device Management for Healthcare Mobile Platform Diversity—The best mobile device Remote Notification—that can alert all device users to the management systems cover all the most popular mobile availability of new resources and any required user actions platforms and operating systems, including Blackberry, Apple, through its own application portal. and Android tablets and smart phones, and can take advantage Jailbreak and Rooting Detection—The ability to detect of each mobile platform’s native OS policies, security features, jailbroken or rooted mobile devices to determine if the device and other capabilities. is compliant, if any action should be taken, or any policies Easy Self Enrollment—Users are able to enroll with the should be invoked. network directory, such as Active Directory, and the MDM A Controlled Browser—for launching links and limiting sites system themselves after which the system configures the user users can access based on corporate policy and security and and device and implements appropriate security policies compliance requirements. automatically. Some MDM systems provide access to a company app store, similar to Apple’s app store, where users Encryption—of any sensitive information in transit and at rest. can download a management agent and other approved applications and enroll without the help of IT. LANDesk Advantages Zero-Touch Management—The ability to execute Several MDM solutions are available on the market today, each with its own set of features and capabilities. LANDesk® management functions, including software distribution, WiFi Mobility Manager stands out as a market-leading solution and messaging configuration, and administrator updates across from a software vendor that can boast 25 years of stability, mobile platforms from a central console, without any need for experience, and IT systems management expertise controlling physical access to the devices themselves. and managing desktops and laptops—and more recently the Workforce Segmentation—based on user roles, multiple mobile devices users increasingly carry. responsibilities, and corporate policies, with appropriate LANDesk Mobility Manager offers the best of both worlds— control of access to corporate information, content, and the ability to apply discovery, inventory, security, and applications based on these roles. This MDM solutions management capabilities to mobile devices from a single, element helps organizations implement a solution that is not a easy-to-use console, while enabling IT to offer self-service one-size-fits-all model, allowing effective segmentation based options to users within the LANDesk application portal. on the role of the end user within your organization. This portal serves as a repository for apps, files, videos, and Self Service Application and Content Portal—Some other corporate resources that your users can access without MDM platforms offer secure corporate portals that enable submitting to, or resorting to the horizontal app stores employees to access approved and in-house applications, as such as iTunes and Android Marketplace. This capability well as files, videos, and other safe information and resources is essential to controlling and securing applications in a the organization desires to make available to mobile users. healthcare environment. In environments that require the absolute highest level of Organizations can use the same LANDesk console and confidentiality, it’s useful for the MDM system to have database to manage smart phones and tablets that they use the option of streaming all content to each device so that to manage desktops and laptops. This level of integration confidential information is never stored there and susceptible translates into significant total-cost-of-ownership advantages. to theft or loss. According to IDC, the use of LANDesk as a comprehensive Phone Location—The ability to track and report device hardware and end-user management system can save more locations and provide a location history that can be useful in than $23,000 per 100 users per year.2 tracing the device in case of loss or theft. There’s no need for IT to develop a relationship with another Remote Lock, Password Reset, and Wipe—The ability management vendor and provide the requisite training and to automatically lock a lost or stolen device remotely and resources for an entirely new platform, with its own unique eliminate any sensitive information stored on it. issues and quirks. 2 Gaining Business Value and ROI with LANDesk Software: Automated Change and Configuration Management, IDC, January 7
  8. 8. LANDesk White Paper | Mobile Device Management for Healthcare As shown below, LANDesk Mobility Manager simply installs on top of a LANDesk Management Suite 9 core server, plus the addition of the cloud-facing components in the DMZ and the LANDesk mobile device management server. The same, familiar console is used to manage the new devices. Conclusion Mobile device platforms in medical environments are here to stay given the advantages for patient care that are impossible to ignore. At the same time, patient privacy and confidentiality requirements of HIPAA, HITECH, and other regulations present significant challenges to the use of mobile platforms in a secure fashion that protects patient confidentiality and ensures compliance. Mobile Device Management platforms provide one of the principal ways to meet these challenges while empowering healthcare employees with all the convenience and patient care advantages today’s mobile platforms offer. With LANDesk, the user is the endpoint, not the device. A user-centered, policy-based approach is more logical and far less cumbersome than a device-centered approach in today’s typical work environments where each user connects to the network with multiple devices. LANDesk Mobility Manager provides a full-featured, integrated mobile platform management solution. Healthcare institutions can manage and secure all their users’ desktops, laptops, and mobile devices effectively for the lowest possible capital and operating costs.8