Roadmap to Healthcare HIPAA Compliance and Mobile Security for BYOD
Deputy it operations manager chris down -interview presentation - final
1. Managing Mobile Technology In
An Acute Healthcare Setting
Interview Presentation For Post Of
Deputy IT Operations Manager
Chris Down
17th April 2013
2. Going Mobile - mHealth
• mHealth = healthcare provision supported by
mobile devices
– mobile phones / tablets
• Also PDA / phablet / netbooks / laptops
• Est. > 70% medical professionals use smartphone or
tablet at work
– patient identity & monitoring devices
• RFID tags & implants
• Smart bracelets
• Wireless sensors / telemetry
3. mHealth Application Areas
– Communication and training for healthcare staff
– Diagnostic and treatment support
– Education and awareness
– Helplines
– Quality monitoring
– Remote data collection
– Remote monitoring
– Location tracking of staff & equipment
4. Benefits
• Devices are small, light, portable
• Mobile data capture / monitoring / alerting
• Immediate / real-time access to patient or
medical data
• Remote diagnosis / consultations
– Capture / receive images to aid diagnosis
• Managed discharge & post acute support
• Right information - Right time - Right place
• Improved patient care
5. Effectiveness
• To be effective devices should leverage and
optimise the collaborative exchange of
information between all parties involved in
the care process - patient, clinicians,
consultants, nurses, pharmacists & family
• Simple use = SMS appointment reminders
• Advanced = remote monitoring of symptoms
6. Service Delivery Model
• The structure, functions & inter-relationships
pertaining to mobile device management.
• Successful SDM should take account of:
– Device Management & Support infrastructure
– Security issues
– Performance issues & Device connectivity
– Systems integration / interconnectivity
– Robust mobile device use policies
8. Support Infrastructure
– IT staff trained
• Multiple brands, o/s variants
– User training
• Device specific
• Application specific
– Support staffing level
• Increased demand
• Revise support shift patterns & staffing
9. Physical Security
– Mobile Devices are
• Portable & comparatively high value
• Small & light
• Used in multiple locations inside & outside hospital
– Theft risk (generic)
– Increased personal risk to staff ?
– Risk of damage
– Loss / misplacement
– Risk of stored data being compromised
10. Information Security
– Mobile technology is developing faster than
legislation and internal policies can cope with
– Capturing, storing and transmitting sensitive and
confidential patient information
– Devices have no inherent security and/or
encryption capabilities
– Risk of serious data breach
• Assume those acquiring lost/stolen device WILL
attempt to recover data
• Impact on patient
• Regulatory & financial consequences
11. Information Security
– Multiple data vulnerabilities
• Confidentiality of data – stored / transmitted
• Data integrity – mange deliberate or accidental changes
to data being stored / transmitted
• Accessibility
– right time, anywhere
– Trusted vs Untrusted networks
– Deploy Mobile Device Management systems
• Enforce user / device policies on devices
12. Information Security
– User & device authentication
• Secure 2 factor authentication
– device password + access token software
– Physical token may not be practical
• Session timeout / remote logout
– Encryption
• Strong encryption for
– Device & removable media
– Data/SMS transmissions
• Secure VPN access
• Remote secure wipe of lost / stolen devices
13. Information Security
– Untrusted content
• Malicious 3rd party apps / URLs / QR codes
• Educate users
• Prohibit 3rd party downloads
• Restrict system browser to organisation intranet
– Use sandbox for external internet access
– Connecting device with other systems
• Disable remote backup
• Prohibit tethering
• Restrict folder synchronisation
14. Connectivity
– Good quality, secure wireless required
• Seamless across clinical/support/admin areas
• Adequate capacity to handle increased traffic
• Potentially high cost to achieve
• Manage issues in shielded / high energy areas (xray)
• Ensure no interference with medical equipment
– Prevent / restrict carrier 3G wireless access for
transmission of patient information
– Lock down and secure bluetooth
15. Systems Access
– Issues of multiple mobile operating systems
• Android
• Apples iOS
• Blackberry
• Linux
– Different versions of operating systems
– Manage the access of devices to multiple
information systems, bespoke & OTS.
16. Policies & Procedures
– Mobile devices require a different approach
– Clear, comprehensive, robust polices for:
• management and use of mobile devices
• Security & transport
– Regularly reviewed and updated
– Users should agree before being permitted access
to health systems
– End of device life procedures
17. BYOD?
– Utilise staff & clinicians personal devices to
capture/send/receive/access patient data
– Demonstrable cost benefit to Trust
• Who is responsible for faults / damage?
– Additional complications and security issues over
and above Trust owned devices
• Policies and Procedures may restrict personal use
• Issues of 3rd party applications
• Possibility of malicious content on device
• Utilise MDMS to scan & lock down whilst connected
18. Infection Control
– Clinical staff move from patient to patient, ward to
ward
– Risk of infection/contamination transferring to
device
– Infection control procedures would need updating
– Employ alcohol based sprays / wipes
19. Summary
– Identify and manage high level threats and
vulnerabilities to patient data
– Address & manage inherent insecurity of mobile
devices
– Mange use of 3rd party apps & untrusted networks
– Manage use of / interaction with untrusted
devices (inc. BYOD)
– Manage untrusted content and browsing
– Systems to manage data exchange with existing
healthcare systems
20. Summary
– Ensure adequate support and training
• End users and ICT support staff
– Ensure adequate infection control practices
– Manage/monitor/upgrade wireless provision
– Robust, up-to-date policies and procedures
– Rigid end-of-life practices