Consumerization of IT: Mobile Infrastructure, Support and Security

1,434 views

Published on

aFrom half day workshop on Mobile Device Security with Chris Seper and Kirk Larson at Healthcare Information Transformation #HIT12 April 3, 2012 in Jacksonville, FL.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,434
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Consumerization of IT: Mobile Infrastructure, Support and Security

  1. 1. Healthcare Information Transformation #HIT12 | 4/3/2012 | Jacksonville, FLManaging and Securing Mobile DevicesMarie-Michelle Strah, PhD
  2. 2. Introductions Marie-Michelle Strah, PhD Federal Program Manager Applied Information Sciences Ideas @ AIS: http://ideas.appliedis.com/ michelle.strah@appliedis.com Twitter: @cyberslate Blog: http://lifeincapslock.com Linkedin: http://www.linkedin.com/in/drstrah
  3. 3. Workshop Goals• Building productivity• Reducing risk• Mobile device encryption• Access control• Policy vs. technical controls• MDM technologies – maturity?• Unexpected expenses of data protectionSource: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-it-95-of-in.php
  4. 4. Agenda • Conceptualizing “mobile health” – business cases for IT infrastructure management • GRC – governance, risk and compliance in a CoIT framework • Best practices for CoIT in healthcare • Security Risk Analysis • PTA/PIA • Stakeholders • Policy vs. technical controls • Lessons learned | Considerations for the enterprise
  5. 5. Introduction: #mhealth Summit 2011• Mobile is enabler… • Patients • Providers • “Wellness lifecycle” • Productivity• From “there’s an app for that” to enterprise information management lifecycle • Content delivery • Cloud and thin client Source: http://healthpopuli.com/2011/02/15/success-factor-for-mobile-health-mash-up- the-development-team/
  6. 6. Conceptualizing “mobile health”
  7. 7. The Ideal Employees Contractors Partners Need to know Need to manage InfoSec IT Ops Legal
  8. 8. The Reality Employees IT Ops Contractors Partners Manage Know InfoSec Legal
  9. 9. The Challenge • There is no endpoint • There is no perimeter • Users own the data Contractors Partners • No one owns the risk Employees • Security doesn’t have control • IT Ops own the databases • IT Ops own the servers • IT Ops own the apps InfoSec IT Ops Legal
  10. 10. GRC for Healthcare • Governance – organizational and IT • Risk – management and mitigation • Compliance – HITECH/Meaningful Use • BYOx/CoIT *must* be part of overall GRC strategy • Security Risk Analysis • PTA/PIA • Stakeholders – CPGs, workflow, training • Policy vs. technical controls
  11. 11. Enterprise Security Model 𝒙 𝒚 𝑺 = (𝑷 ∗ 𝑨 )Information Security (Collaborative Model)EqualsPeople (all actors and agents)TimesArchitecture (technical, physical andadministrative)
  12. 12. Complexity = Higher Risks and Costs
  13. 13. Mobile Device RoundtableWashington, DC3/16/2012http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3816
  14. 14. Healthcare Information Transformation Master Data Enterprise Then… MDM2MDM EIM Management Information Master Management Device Management Data- centric Device- model (or hardware) Reactive centric Posture model
  15. 15. Minimum Technical Requirements • Policy Encryption of Data at Rest • Wireless • Data segmentation (on premise, cloud, metadata) • Customer support (heterogeneity) Encryption of • Infection control Data in Motion • MSIRT • Vendor evaluation (the myth of the “HIPAA Good Housekeeping Seal”) Two Factor • Applications: APM and ALM Authentication • Infrastructure • Costs HIPAA Security Rule: Remote Use http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
  16. 16. Best Practices: Datacentric Model1. This is NOT an IT problem2. Privacy Impact Assessment: PHI, ePHI, PII (Compartmentalization and segregation)3. Security Risk Analysis4. MSIRT (policy and training)5. Look to stakeholders for domain expertise in clinical workflows6. Datacentricity: Use connected health framework reference (SOA) model7. Governance, governance, governance
  17. 17. Lessons Learned: Risk-based Model1. Define permissible mobile devices2. Access control policies (time/geolocation)3. Manage applications (third party tools/enterprise app store)4. Integrate mobile devices onto network5. Vendor evaluation6. CostsSource: http://www.beckershospitalreview.com/healthcare-information-technology/4-best-practices-for-hospitals-managing-mobile-devices.htmlFinally… consider issuing agency or organizationowned devices
  18. 18. THANK YOU! Marie-Michelle Strah, PhD Federal Program Manager Applied Information Sciences Ideas @ AIS: http://ideas.appliedis.com/ michelle.strah@appliedis.com Twitter: @cyberslate Blog: http://lifeincapslock.com Linkedin: http://www.linkedin.com/in/drstrah

×