It's About the Data, Stupid: Mobile Security and BYOD for Healthcare

1,123 views

Published on

Webinar 10/2 on Real World Mobile Security. For more info see: http://bit.ly/OttM9m

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,123
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

It's About the Data, Stupid: Mobile Security and BYOD for Healthcare

  1. 1. Its About the Data, Stupid! Real World Mobile Securitywww.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020
  2. 2. Speakers Marie-Michelle Strah, Ph.D., Founder of Phydian Systems Marie-Michelle Strah, Ph.D., is a healthcare enterprise architect in the Washington D.C. area specializing in strategy, information architecture, information security and data architecture for federal and commercial clients. She is the founder of Phydian Systems LLC and an adjunct professor of Healthcare Information Technology at Catholic University of America. She brings more than 15 years of experience in enterprise architecture, healthcare, information technology management, and research and development internationally. April Sage, Marketing Director, Online Tech April Sage has been involved in the IT industry for over two decades, starting in the pre- Windows era as the founder of an IT school teaching DOS, WordPerfect, and FoxPro. In the early 2000s, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems. Since then, April has been involved in the development and implementation of online business plans and marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Marketing Director of Online Tech.www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020
  3. 3. GOALS OF ENTERPRISE MOBILITY• Building productivity• Reducing risk• Mobile device encryption• Access control• Policy vs. technical controls• MDM technologies – maturity?• Unexpected expenses of data protectionSource: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-it-95-of-in.php10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 3
  4. 4. 10/2/2012Enterprise Mobility and Consumerization of IT CONCEPTUALIZING “MOBILE HEALTH” All content (c) 2012 Phydian Systems LLC. All rights reserved. 4
  5. 5. 10/2/2012It’s NOT about the device… TWEETING ENTERPRISE MOBILITY All content (c) 2012 Phydian Systems LLC. All rights reserved. 5
  6. 6. 10/2/2012 mHealth: Mobile is enabler… CONCEPTUALIZING “MOBILE HEALTH”Mobile is enabler… • Patients • Providers • “Wellness lifecycle” • ProductivityFrom “there’s an app for that” toenterprise information managementlifecycle • Content delivery • Cloud and thin client Source: http://healthpopuli.com/2011/02/15/success-factor-for- mobile-health-mash-up-the-development-team/ All content (c) 2012 Phydian Systems LLC. All rights reserved. 6
  7. 7. Mobile Health can both: • Increase risk • Reduce risk • Practice size affects risk profile Key is: • Planning • Business Case Analyses • Master Data ManagementM OBILE H EA LTH : P R IVA C Y A ND S EC UR ITY R IS K S … BEYOND C OM P LIA NCE 54% of 464 HIPAA breaches affecting 500 or more individuals from 9/2001 to July 2012 involved loss or theft of unencrypted mobile devices Sources: http://www.govinfosecurity.com/interviews/onc-plans-mobile-security-guidance-i-1629 http://pinterest.com/pin/123849058473938431/10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 7
  8. 8. • Conceptualizing “mobile health” – business cases for IT infrastructure management • GRC – governance, risk and compliance in a CoIT framework • Best practices for CoIT in healthcare • Security Risk Analysis • PTA/PIA • Stakeholders • Policy vs. technical controls • Lessons learned | Considerations for the enterprise FIRST QUESTION: WHY BYOD?10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 8
  9. 9. 10/2/2012 BUSINESS CASE ANALYSIS - BYODTCO (Total Cost of Ownership) Why BYOD? Is it actually cheaper? Are you simply shifting costs? • License and account management (telecom) • Responsive design: Testing/QA/Usability • Enforcement: Policies, standards, training • Realigning enterprise architecture for BYOD mobile environment • Scaleability All content (c) 2012 Phydian Systems LLC. All rights reserved. 9
  10. 10. Managing human factors in mobile data THE IDEAL managementEmployees Contractors Partners Need to know Need to manage InfoSec IT Ops Legal
  11. 11. Managing human factors in mobile data THE REALITY managementEmployees IT Ops Contractors Partners Manage Know InfoSec Legal
  12. 12. THE CHALLENGE Adopting Governance and Risk Based Model to BYOD• There is no endpoint• There is no perimeter• Users own the data• NoEmployees one owns the risk Contractors Partners• Security doesn’t have control• IT Ops own the databases• IT Ops own the servers• IT Ops own the apps InfoSec IT Ops Legal
  13. 13. GRC FOR HEALTHCARE • Governance – organizational and IT • Risk – management and mitigation • Compliance – HITECH/Meaningful Use/42 CFR • BYOx/CoIT *must* be part of overall GRC strategy • Security Risk Analysis • PTA/PIA • Stakeholders – CPGs, workflow, training • Policy vs. technical controls10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 13
  14. 14. 10/2/2012 HIGH LEVEL REFERENCE ARCHITECTURE MOBILE HEALTHSource: http://www.mobilehealthlive.org/publications/discussion-papers/a-high-level-reference-architecture-for-mobile-health/20460/ All content (c) 2012 Phydian Systems LLC. All rights reserved. 14
  15. 15. 10/2/2012 MASTER DATA HUB AND EXAMPLESCase Studies So it’s about the data, and… … the device, but not “just” about the device VA looks to establish BYOD mobile device management protocols (www.mhimss.org) • MDM software • Systems, network, apps supported by VA • No jailbroken devices • Wiping personal devices if compromised • Rules of behavior required if storing VA data • Personal device can be brought under VA control if needed All content (c) 2012 Phydian Systems LLC. All rights reserved. 15
  16. 16. HEALTHCARE INFORMATION TRANSFORMATION Master Data Enterprise Then… EIMMDM MDM2 Management Information Master Management Device Management Data- centric Device- model (or hardware) Reactive centric Posture model
  17. 17. MINIMUM TECHNICAL REQUIREMENTS • Policy • Wireless Encryption of Data at Rest • Data segmentation (on premise, cloud, metadata) • Customer support (heterogeneity) • Infection control Encryption of • MSIRT Data in Motion • Vendor evaluation (the myth of the “HIPAA Good Housekeeping Seal”) • Applications: APM and ALM Two Factor • Infrastructure Authentication • CostsHIPAA Security Rule: Remote Usehttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
  18. 18. QUESTIONS?10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 18
  19. 19. Upcoming Events Contact Info SecureWorld Expo Marie-Michelle Strah @cyberslate  Detroit, MI, October 3rd & 4th http://www.linkedin.com/in/drstrah mstrah@phydiansystems.com www.phydiansystems.com Midwest HIMSS  Des Moines, IA, November 11th-13th April Sage asage@onlinetech.com mHealth Summit www.onlinetech.com  Washington, DC, December 3rd-5th Main: 734-213-2020 HIMSS 2013  New Orleans, March 3rd-7th 2013, Booth # 1369 www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020

×