it's about the data, stupid: mobile security and byod for healthcare

www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020

It's About the Data, Stupid! Real World Mobile Security


Speakers Marie-Michelle Strah, Ph.D., Founder of Phydian Systems

Marie-Michelle Strah, Ph.D., is a healthcare enterprise architect in the Washington D.C. area specializing in strategy, information architecture, information security and data architecture for federal and commercial clients. She is the founder of Phydian Systems LLC and an adjunct professor of Healthcare Information Technology at Catholic University of America. She brings more than 15 years of experience in enterprise architecture, healthcare, information technology management, and research and development internationally.

April Sage, Marketing Director, Online Tech

April Sage has been involved in the IT industry for over two decades, starting in the pre-Windows era as the founder of an IT school teaching DOS, WordPerfect, and FoxPro. In the early 2000s, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems. Since then, April has been involved in the development and implementation of online business plans and marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Marketing Director of Online Tech.

GOALS OF ENTERPRISE

MOBILITY

• Building productivity

• Reducing risk

• Mobile device encryption

• Access control

• Policy vs. technical controls

• MDM technologies – maturity?

• Unexpected expenses of data protection

Source: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-it-95-of-in.php

10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 3

CO

NC

EPTU

ALIZ

ING “M

OBILE H

EA

LTH”

Enterprise Mobility and Consumerization of IT

10/2/2012

All content (c) 2012 Phydian Systems LLC. All rights reserved. 4

TW

EETIN

G E

NTER

PR

ISE M

OBILIT

Y It’s NOT about the device…

10/2/2012


CO

NC

EPTU

ALIZ

ING “M

OBILE H

EA

LTH”

mHealth: Mobile is enabler…

Mobile is enabler…

• Patients

• Providers

• “Wellness lifecycle”

• Productivity

From “there’s an app for that” to

enterprise information management

lifecycle

• Content delivery

• Cloud and thin client

Source: http://healthpopuli.com/2011/02/15/success-factor-for-

mobile-health-mash-up-the-development-team/

10/2/2012


MOBILE HEALTH: PRIVACY AND SECURITY RISKS… BEYOND COMPLIANCE

Mobile Health can both: • Increase risk

• Reduce risk

• Practice size affects risk profile

Key is: • Planning

• Business Case Analyses

• Master Data Management

Sources:

http://www.govinfosecurity.com/interviews/onc-plans-mobile-security-guidance-i-1629

http://pinterest.com/pin/123849058473938431/

54% of 464 HIPAA breaches affecting 500 or more individuals from 9/2001 to July 2012 involved loss or theft of unencrypted mobile devices


















FIRST QUESTION: WHY BYOD?

• Conceptualizing “mobile health” – business cases for IT infrastructure

management

• GRC – governance, risk and compliance in a CoIT framework

• Best practices for CoIT in healthcare

• Security Risk Analysis

• PTA/PIA

• Stakeholders


• Lessons learned | Considerations for the enterprise


BU

SINESS C

ASE A

NA

LYSIS - BYO

D

TCO (Total Cost of Ownership)

Why BYOD? Is it actually cheaper? Are you simply shifting costs? • License and account

management (telecom) • Responsive design:

Testing/QA/Usability • Enforcement: Policies,

standards, training • Realigning enterprise

architecture for BYOD mobile environment

• Scaleability

10/2/2012


TH

E IDEA

L

Employees Contractors Partners

InfoSec IT Ops Legal

Need to manage Need to know

Managing human factors in mobile data

management

TH

E REA

LITY


InfoSec

IT Ops

Legal

Know

Manage

Managing human factors in mobile data

management

TH

E CH

ALLEN

GE


InfoSec IT Ops Legal

• There is no endpoint

• There is no perimeter

• Users own the data

• No one owns the risk

• Security doesn’t have control

• IT Ops own the databases

• IT Ops own the servers

• IT Ops own the apps

Adopting Governance and Risk Based Model to

BYOD

GRC FOR HEALTHCARE

• BYOx/CoIT *must* be part of overall GRC strategy

• Security Risk Analysis

• PTA/PIA

• Stakeholders – CPGs, workflow, training


• Governance – organizational and IT

• Risk – management and mitigation

• Compliance – HITECH/Meaningful Use/42 CFR


HIG

H LEV

EL REFER

ENC

E AR

CH

ITECTU

RE M

OB

ILE HEA

LTH

Source: http://www.mobilehealthlive.org/publications/discussion-papers/a-high-level-reference-architecture-for-mobile-health/20460/

10/2/2012


http://www.mobilehealthlive.org/publications/discussion-papers/a-high-level-reference-architecture-for-mobile-health/20460/

















MA

STER DA

TA HU

B AN

D EXA

MP

LES Case Studies

VA looks to establish BYOD mobile device management protocols

(www.mhimss.org)

• MDM software

• Systems, network, apps supported by VA

• No jailbroken devices

• Wiping personal devices if compromised

• Rules of behavior required if storing VA data

• Personal device can be brought under VA control if needed

So it’s about the

data, and… … the device, but

not “just” about the

device

10/2/2012


http://www.mhimss.org/

HEA

LTHC

AR

E INFO

RM

ATIO

N T

RA

NSFO

RM

ATIO

N

Reactive

Posture

Device-

(or

hardware)

centric

model

Data-

centric

model

MD

M

Master Data

Management EIM

Enterprise

Information

Management MD

M2

Then…

Master

Device

Management

MIN

IMU

M T

EC

HN

ICA

L REQ

UIR

EM

EN

TS

Encryption of

Data at Rest

Encryption of

Data in Motion

Two Factor

Authentication

• Policy

• Wireless

• Data segmentation (on premise, cloud,

metadata)

• Customer support (heterogeneity)

• Infection control

• MSIRT

• Vendor evaluation (the myth of the

“HIPAA Good Housekeeping Seal”)

• Applications: APM and ALM

• Infrastructure

• Costs

HIPAA Security Rule: Remote Use

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf

QUESTIONS?



Upcoming Events SecureWorld Expo

Detroit, MI, October 3rd & 4th

Midwest HIMSS Des Moines, IA, November 11th-13th

mHealth Summit Washington, DC, December 3rd-5th

HIMSS 2013 New Orleans, March 3rd-7th 2013, Booth # 1369

Marie-Michelle Strah

@cyberslate

http://www.linkedin.com/in/drstrah

[email protected]

www.phydiansystems.com

April Sage

[email protected]

www.onlinetech.com

Main: 734-213-2020

Contact Info

https://twitter.com/cyberslate





mailto:[email protected]

http://www.phydiansystems.com/

mailto:[email protected]

http://www.onlinetech.com/

it's about the data, stupid: mobile security and byod for healthcare

Documents