Challenges of Mobile Security & BYOD in Healthcare


Published on

Healthcare in America is changing. New rules, new laws, new technologies and new expectations are driving healthcare providers to adapt to new ways of delivering services. Mobile technologies are a key part of making healthcare portable and personal. Tablets, smartphones and other handheld devices can give practitioners the freedom they need to deliver services with the speed and reliability patients expect. However, this increased focus on mobility carries numerous security risks. Malware, attacks, and theft can jeopardize data confidentiality and damage patient trust. Moreover, the new HIPAA Omnibus ruling puts increased focus on the need to secure electronic patient health information (ePHI).

Join Anitian Enterprise Security and Sophos as we explore the challenges of mobility in healthcare. Anitian will outline some of the new changes to HIPAA as well as effective strategies for securing mobile devices. Sophos will discuss technologies and techniques that can deliver strong security and protection, without sacrificing the freedom and accessibility practitioners require. The presentation will conclude with an quick walk through of Sophos Mobile Security solution and the features it provides to protect healthcare data.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Challenges of Mobile Security & BYOD in Healthcare

  1. 1. MOBILE SECURITY THE CHALLENGE FOR HEALTHCAREAndrew Plato, CISSP, CISM, QSA Tom HenaultPresident / CEO North American Data Protection SpecialistAnitian Enterprise Security Sophos Inc.
  2. 2. Introductions• Andrew Plato President / CEO Anitian Enterprise Security• Tom Henault North American Data Protection Specialist Sophos, Inc.
  3. 3. Agenda• Going mobile• Impact of HIPAA / HITECH on mobility• Solutions for Mobile Security• OPTIONAL: Sophos MDM Review
  4. 4. NOT On the Agenda• EMR Implementations• Ridiculous promises• Frothy, sensationalist nonsense• Horror stories• Statistics
  5. 5. Challenges of Mobility in Healthcare GOING MOBILE
  6. 6. What Are the Issues that Affect Mobility in Healthcare?• People• Data• Apps• Access• Compliance (HIPAA/HITECH)
  7. 7. People• Benefits • Mobility enables people to work better • People are comfortable with tablets, smartphones, laptops • Users demand it• Challenges • Do you trust your users? • Do they have the ability to make sound decisions about threats and risk? • What policies and procedures are necessary to make mobility work? • How can you handle personal devices?
  8. 8. Data• Benefits • Allows staff to access information anywhere • Rapid access to data to serve clients better• Challenges • What are the threats to the data? • How do you protect the data? • How do you control access to data? • What happens if data is lost or stolen?
  9. 9. Applications• Benefits • Mobile apps can completely redefine workflow • Easy to use and learn• Challenges • How do you controls what apps do what? • How do you prevent malware apps? • How do you balance personal apps vs. company apps
  10. 10. Compliance• Benefits • You have a lot of control over your compliance efforts • There are no specific requirements for mobility in the relevant regulations• Challenges • How do you craft a BYOD strategy to align with HIPAA/HITECH & Meaningful Use? • How can mobile security help with preventing breaches? • How do you prove compliance?
  11. 11. Why is Mobility So Hard for Healthcare?• Caregivers demand access and do not want roadblocks• Data is extremely sensitive• HIPAA/HITECH• A single breach can be disastrous• Healthcare networks are large, complex and diverse• Mobile devices and apps are maturing rapidly• There is no one product or solution that protects mobile platforms
  12. 12. Challenges of Mobility in Healthcare IMPACT OF HIPAA/HITECH
  13. 13. What Are the Threats• Lost / theft• Personal entanglement • Reputational damage• Malware • Legal liability• Content sharing • HHS Fines• Phishing • Breach notification costs• Toll fraud • Estimated cost: $197 per• Productivity loss record lost• Breach
  14. 14. Costs Are Considerable• Regulatory fines, penalties• Lawsuits and civil action have larger cost than fines• Response costs 1. Forensic analysis 2. Notification and communication costs 3. Credit, identity monitoring• Audits are required – to ensure you meet: 1. Privacy rule 2. Security rule 3. Breach notification rule
  15. 15. Leading Causes of Breaches 5.93% 47.80% Theft 10.90% Loss of Media 14.90% Unauthorized access or use (hacking) Human or technical error 15.90% Improper disposal
  16. 16. What Has Changed?• HIPAA Omnibus announced in Jan 2013, in effect Sept 2013 now includes: • Covered entities • Business Associates • Contractors • Subcontractors• Business Associates also required to encrypt PHI• HITECH also requires PHI breach notification, which was not part of the original HIPAA rules• Must conduct a “good faith effort” risk assessment for any suspected breach
  17. 17. HIPAA Security Rule Safeguards• Access controls to restrict access to PHI to authorized personnel only• Audit controls to monitor activity on systems containing e-PHI, such as an electronic health record system• Integrity controls to prevent improper e-PHI alteration or destruction• Transmission security measures to protect e-PHI when transmitted over an electronic network
  18. 18. How Do You Stay Compliant?• Conduct an organizational risk assessment (this is required!)• Develop a HIPAA/HITECH compliance program• Classify data• Encrypt anything that you can easily pick up and walk out the door with (laptops, tablets, mobile devices)• Control access (UTM, ACLs, etc.), core firewalls• Unify authentication & authorization to a common platform (which is monitoring and audited)• Monitor & audit all access (SIEM)• Implement IDS/IPS organizational wide• Implement DLP, control content• Develop sound IR practices
  19. 19. Challenges of Mobility in HealthcareSOLUTIONS FOR MOBILE SECURITY
  20. 20. What Policies / Procedures Are Necessary?• Develop Mobile Security Strategy • Authority - Who is responsible for mobile security? • Define Resources – Money and people to implement the strategy. • Establish Need – Business justification for mobile security. • Requirements – What your mobile security solutions must do • BYOD – How will you handle personally owned devices? • Awareness – A program to educate and inform users. • Policy - Organizational policy and standards for mobile security and operational authority.• Update Incident Response Practices • IR Procedures should specifically address mobile security incidents • Train staff on procedures to report loss, theft or suspected breach • Update procedures to include risk assessment for suspected breach More…
  21. 21. What Policies / Procedures Are Necessary?• Have a Mobile Security Policy • Sophos has a great template in their Mobile Security Toolkit: • Acceptable use • Rules for personal devices • Explain how devices will be reset / wiped • Define classes of employees and the access they have• Have a Mobile Security Standard • Define the technical requirements for mobility in your environment • Supported platforms • MDM Rules
  22. 22. How Do You Control Access?• Segment the network, implement a core firewall• Separate mobile devices to protected (wireless) networks• Implement standard UTM functionality (IPS, web filtering, AV, application control, DLP, etc.)• Implement MDM• Require passcodes or smart cards on mobile devices• Use VPN clients for remote access• Prevent use of unauthorized USB drives• Use application delivery framework, such as Citrix or Remotium
  23. 23. How Do You Protect Data?• If it moves, encrypt it: USB drives, laptops, systems, smartphones, tablets, backup tapes, etc.• Use strict access controls on applications• Control, filter, encrypt and monitor email• Use application delivery framework (Citrix, Remotium, etc.)• Forbid storing data on mobile devices• Wipe devices immediately if lost or stolen• Implement DLP: network, email, web, systems, mobile• Implement database monitoring (DAM)
  24. 24. How Do You Control Apps?• Create your own App store• Prohibit jail-breaking with MDM rules• Deploy endpoint malware monitoring on Android• Use network controls on UTM devices to block bothersome or dangerous apps• Implement application compliance on MDM• Use application delivery framework (Citrix, Remotium, etc.)
  25. 25. How Do I Make this Work?• HIPAA does not say “protect smartphones” is says “protect data, and disclose if you fail”• Find your data, know where it is and who needs to use it• Automate enforcement – take users out of the protection loop where possible• Look to the entire infrastructure, not just phones• Own the devices, avoid sharing personal devices where possible• Create classes of user, with stronger restrictions on users that access PHI• Train users about the threats and good practices
  26. 26. Challenges of Mobility in Healthcare SOPHOS MDM REVIEW
  27. 27. MDM: Key functionality today Manage and control devices SMC SMCaaS Manage apps SMC SMCaaS Enforce compliance SMC SMCaaS Control email access SMC
  28. 28. Sophos Mobile Control Key functionality Manage and control devices SMC SMCaaS Manage apps SMC SMCaaS Enforce compliance SMC SMCaaS Control email access SMC optional Mobile Security SMC SMCaaS
  29. 29. Control, secure, protect Sophos Mobile Control - Mobile Device Management On-premise or cloud-based solution to manage, control and protect mobile devices. Enable BYOD without the risks Sophos Mobile Security – Anti-Virus for Android Scans for malicious data-stealing apps and provides loss and theft protection. Free download    Protect devices from Android malware Sophos Mobile Encryption – Mobile Data Protection Extends SafeGuard Encryption for Cloud Storage to mobile devices – iOS or Android* Ensure persistent encryption
  30. 30. Mixed ownership – on the road Corporate device Personal device Compliance rules Compliance rules Blacklisted apps Blacklisted apps Data roaming Data roaming What happens when What happens when … …Sophos Mobile Control allows group or user-based compliance rules, to put fewer limitations on managed personal devices
  31. 31. Secure access – on the road We make the use of Dropbox & co. secure, our app extends that data protection to mobile devices
  32. 32. Mobile Security: settings in SMC The admin defines: • What to scan • When to scan • What the user can do Additionally they can: • Trigger a scan • Set up web filtering • Block/wipe/lock an infected or out of date device (compliance) Web protection
  33. 33. Mobile Security: compliance Mobile security
  34. 34. Anti-malware – on the road SMC admin console SOPHOS LiveConnect
  35. 35. Keep malware at bay Free Managed
  36. 36. Web Security – on the road SOPHOS LiveConnect Mobile Security – Enterprise • optional add-on to SMC • included in all of our suites • uses our threat intelligence  Great differentiator between us and key MDM competitors
  37. 37. Thank YouEMAIL: for a copy of the presentationWEB: www.anitian.comBLOG: blog.anitian.comCONTACT: Andrew Plato, CISSP, CISM, QSA President / CEO 888-ANITIAN