Consumerization of IT: Mobile Infrastructure, Support and Security
0 likes•651 views
Marie-Michelle Strah gave a presentation on managing and securing mobile devices in healthcare. She discussed building productivity while reducing risk through mobile device encryption, access control, and policy versus technical controls. Her presentation covered conceptualizing "mobile health" and applying governance, risk, and compliance frameworks to consumerization of IT. She provided best practices around security risk analysis, stakeholder involvement, and defining a minimum set of technical requirements for mobile devices in healthcare.
Consumerization of IT: Mobile Infrastructure, Support and Security
- 1. Healthcare Information Transformation #HIT12 | 4/3/2012 | Jacksonville, FL Managing and Securing Mobile Devices Marie-Michelle Strah, PhD
- 2. Introductions Marie-Michelle Strah, PhD Federal Program Manager Applied Information Sciences Ideas @ AIS: http://ideas.appliedis.com/ [email protected] Twitter: @cyberslate Blog: http://lifeincapslock.com Linkedin: http://www.linkedin.com/in/drstrah
- 3. Workshop Goals • Building productivity • Reducing risk • Mobile device encryption • Access control • Policy vs. technical controls • MDM technologies – maturity? • Unexpected expenses of data protection Source: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of- it-95-of-in.php
- 4. Agenda • Conceptualizing “mobile health” – business cases for IT infrastructure management • GRC – governance, risk and compliance in a CoIT framework • Best practices for CoIT in healthcare • Security Risk Analysis • PTA/PIA • Stakeholders • Policy vs. technical controls • Lessons learned | Considerations for the enterprise
- 5. Introduction: #mhealth Summit 2011 • Mobile is enabler… • Patients • Providers • “Wellness lifecycle” • Productivity • From “there’s an app for that” to enterprise information management lifecycle • Content delivery • Cloud and thin client Source: http://healthpopuli.com/2011/02/15/success-factor-for-mobile-health-mash-up- the-development-team/
- 7. The Ideal Employees Contractors Partners Need to know Need to manage InfoSec IT Ops Legal
- 8. The Reality Employees IT Ops Contractors Partners Manage Know InfoSec Legal
- 9. The Challenge • There is no endpoint • There is no perimeter • Users own the data Contractors Partners • No one owns the risk Employees • Security doesn’t have control • IT Ops own the databases • IT Ops own the servers • IT Ops own the apps InfoSec IT Ops Legal
- 10. GRC for Healthcare • Governance – organizational and IT • Risk – management and mitigation • Compliance – HITECH/Meaningful Use • BYOx/CoIT *must* be part of overall GRC strategy • Security Risk Analysis • PTA/PIA • Stakeholders – CPGs, workflow, training • Policy vs. technical controls
- 11. Enterprise Security Model 𝒙 𝒚 𝑺 = (𝑷 ∗ 𝑨 ) Information Security (Collaborative Model) Equals People (all actors and agents) Times Architecture (technical, physical and administrative)
- 12. Complexity = Higher Risks and Costs
- 13. Mobile Device Roundtable Washington, DC 3/16/2012 http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&objID=3816
- 14. Healthcare Information Transformation Master Data Enterprise Then… MDM2 MDM EIM Management Information Master Management Device Management Data- centric Device- model (or hardware) Reactive centric Posture model
- 15. Minimum Technical Requirements • Policy Encryption of Data at Rest • Wireless • Data segmentation (on premise, cloud, metadata) • Customer support (heterogeneity) Encryption of • Infection control Data in Motion • MSIRT • Vendor evaluation (the myth of the “HIPAA Good Housekeeping Seal”) Two Factor • Applications: APM and ALM Authentication • Infrastructure • Costs HIPAA Security Rule: Remote Use http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf
- 16. Best Practices: Datacentric Model 1. This is NOT an IT problem 2. Privacy Impact Assessment: PHI, ePHI, PII (Compartmentalization and segregation) 3. Security Risk Analysis 4. MSIRT (policy and training) 5. Look to stakeholders for domain expertise in clinical workflows 6. Datacentricity: Use connected health framework reference (SOA) model 7. Governance, governance, governance
- 17. Lessons Learned: Risk-based Model 1. Define permissible mobile devices 2. Access control policies (time/geolocation) 3. Manage applications (third party tools/enterprise app store) 4. Integrate mobile devices onto network 5. Vendor evaluation 6. Costs Source: http://www.beckershospitalreview.com/healthcare-information-technology/4-best- practices-for-hospitals-managing-mobile-devices.html Finally… consider issuing agency or organization owned devices
- 18. THANK YOU! Marie-Michelle Strah, PhD Federal Program Manager Applied Information Sciences Ideas @ AIS: http://ideas.appliedis.com/ [email protected] Twitter: @cyberslate Blog: http://lifeincapslock.com Linkedin: http://www.linkedin.com/in/drstrah