Marie-Michelle Strah gave a presentation on managing and securing mobile devices in healthcare. She discussed building productivity while reducing risk through mobile device encryption, access control, and policy versus technical controls. Her presentation covered conceptualizing "mobile health" and applying governance, risk, and compliance frameworks to consumerization of IT. She provided best practices around security risk analysis, stakeholder involvement, and defining a minimum set of technical requirements for mobile devices in healthcare.
2. Introductions
Marie-Michelle Strah, PhD
Federal Program Manager
Applied Information Sciences
Ideas @ AIS: http://ideas.appliedis.com/
michelle.strah@appliedis.com
Twitter: @cyberslate
Blog: http://lifeincapslock.com
Linkedin: http://www.linkedin.com/in/drstrah
3. Workshop Goals
• Building productivity
• Reducing risk
• Mobile device encryption
• Access control
• Policy vs. technical controls
• MDM technologies – maturity?
• Unexpected expenses of data protection
Source: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-
it-95-of-in.php
4. Agenda
• Conceptualizing “mobile health” –
business cases for IT infrastructure
management
• GRC – governance, risk and compliance in
a CoIT framework
• Best practices for CoIT in healthcare
• Security Risk Analysis
• PTA/PIA
• Stakeholders
• Policy vs. technical controls
• Lessons learned | Considerations for the
enterprise
5. Introduction: #mhealth Summit 2011
• Mobile is enabler…
• Patients
• Providers
• “Wellness lifecycle”
• Productivity
• From “there’s an app for that” to enterprise
information management lifecycle
• Content delivery
• Cloud and thin client
Source: http://healthpopuli.com/2011/02/15/success-factor-for-mobile-health-mash-up-
the-development-team/
7. The Ideal
Employees Contractors Partners
Need to know
Need to manage
InfoSec IT Ops Legal
8. The Reality
Employees IT Ops Contractors Partners
Manage
Know
InfoSec Legal
9. The Challenge
• There is no endpoint
• There is no perimeter
• Users own the data
Contractors Partners
• No one owns the risk
Employees
• Security doesn’t have control
• IT Ops own the databases
• IT Ops own the servers
• IT Ops own the apps
InfoSec IT Ops Legal
10. GRC for Healthcare
• Governance – organizational and IT
• Risk – management and mitigation
• Compliance – HITECH/Meaningful Use
• BYOx/CoIT *must* be part of overall GRC
strategy
• Security Risk Analysis
• PTA/PIA
• Stakeholders – CPGs, workflow,
training
• Policy vs. technical controls
11. Enterprise Security Model
𝒙 𝒚
𝑺 = (𝑷 ∗ 𝑨 )
Information Security (Collaborative Model)
Equals
People (all actors and agents)
Times
Architecture (technical, physical and
administrative)
14. Healthcare Information Transformation
Master Data Enterprise Then…
MDM2
MDM
EIM
Management Information Master
Management Device
Management
Data-
centric
Device- model
(or
hardware)
Reactive centric
Posture model
15. Minimum Technical Requirements
• Policy
Encryption of
Data at Rest
• Wireless
• Data segmentation (on premise, cloud,
metadata)
• Customer support (heterogeneity)
Encryption of • Infection control
Data in Motion
• MSIRT
• Vendor evaluation (the myth of the
“HIPAA Good Housekeeping Seal”)
Two Factor • Applications: APM and ALM
Authentication
• Infrastructure
• Costs
HIPAA Security Rule: Remote Use
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
16. Best Practices: Datacentric Model
1. This is NOT an IT problem
2. Privacy Impact Assessment: PHI, ePHI, PII
(Compartmentalization and segregation)
3. Security Risk Analysis
4. MSIRT (policy and training)
5. Look to stakeholders for domain expertise in
clinical workflows
6. Datacentricity: Use connected health framework
reference (SOA) model
7. Governance, governance, governance
17. Lessons Learned: Risk-based Model
1. Define permissible mobile devices
2. Access control policies (time/geolocation)
3. Manage applications (third party tools/enterprise
app store)
4. Integrate mobile devices onto network
5. Vendor evaluation
6. Costs
Source: http://www.beckershospitalreview.com/healthcare-information-technology/4-best-
practices-for-hospitals-managing-mobile-devices.html
Finally… consider issuing agency or organization
owned devices
18. THANK YOU!
Marie-Michelle Strah, PhD
Federal Program Manager
Applied Information Sciences
Ideas @ AIS: http://ideas.appliedis.com/
michelle.strah@appliedis.com
Twitter: @cyberslate
Blog: http://lifeincapslock.com
Linkedin: http://www.linkedin.com/in/drstrah