Developing BYOD and Mobile Device Management in Healthcare

M. Jason Cox, CISSP, CISM Information Security Office UNC Health Care System

Jason Cox • Joined North State Communications in

October 2001 as their second IT hire. • Was part of a two man shop that did

everything IT. • North State was a long time reseller of mobile

devices for BellSouth Mobility DCS, then Cingular, then AT&T.

• Translation: We got to play with a lot of cool mobile devices for their time as well as build their enterprise IT shop!

• Started at hospital in 2012, which became part of UNCHCS.

High Point Regional’s Role in UNCHCS

• Private, Not for Profit Community Hospital in High Point, NC founded in 1904

• Outpatient Services in Guilford, Randolph, Forsyth and Davidson Counties

• 69% of Patients Come from Guilford County • Current Main Hospital Opened January 8,

1986 • 335 Staffed Beds (Licensed for 351) • HPRH & UNC Regional Physicians Became Part

of UNC Health Care System on April 1, 2013

The Smartphone Started It…

Early Mobile Device Security

Source: CA Technologies http://rewrite.ca.com/us/articles/security/infographic-how-to-stay-safe-on-the-application-autobahn.aspx

Source: www.himssanalytics.org

BYOD Policy ca. 2010-2011

High Point’s Mobile Device Policy • Policy process really started in January 2013, but picked up

momentum in April. • Need for the policy was driven by:

– An increase in use in tablet devices by physicians. – The rollout of High Point’s VMware View desktop environment, thereby

increasing the demand for access. – A new process underway for hospitalists to be able to do charge

captures electronically (Revenue generator.) – Lack of any prior policies, but having a “de facto” BYOD scenario. (Many

personally owned devices were already permitted wireless connectivity to the corporate network without any documented processes.)

– Lack of accountability with usage of hospital owned mobile devices or controls over personally owned devices.

High Point’s Mobile Device Policy • Policy was a combination of input from an existing private

sector policy, NCHICA, and policies from other entities. • Policy was reviewed by IT, IT Management, CMO, and other

business stakeholders before being approved on July 30, 2013. • A Mobile Device Usage Agreement was put into place for

hospital owned devices prior to final policy approval to add a layer of accountability that had not been there before.

• The Bring Your Own Device Usage Agreement was added for employee owned devices once the policy was approved.

• Policy was not intended to address laptops, just the more highly portable mobile devices.

High Point Policy Highlights • Policy required the installation and use of the Mobile Device

Management (MDM) client and sign off by the participant, IT/Information Security, and an HPRH VP, Director, or Manager to “sponsor” that enrollment.

• Device enrollment was limited to no more than TWO devices. – Limits risk footprint. – Reduces potential for mobile device sprawl and license cost overruns

when only one device is predominantly used by providers.

• IT did not provide support for employee owned devices. outside of the initial MDM enrollment and required app installations.

High Point Policy Highlights • Information Security had final authority on access and

continued access by device to HPRH network resources. • Policy mandated encryption, password, inactivity timeouts,

and consent to monitoring device activity*. • BYOD Usage Agreement included a provision that participants

may be required to purchase an MDM license. – Mainly intended for physicians with CME dollars available that could

use part of this allocation to offset some of the capital expense of new license purchases. Management has discretion based on use case.

– At time of implementation, stipend policy had not been implemented.

• Most other areas of the policy centered around user behavior expectations. Education is critical!

General BYOD Policy Considerations

• Develop standards for acceptable use. • Use a risk assessment methodology for the

technology to determine value of the gain for BYOD vs. the risk.

• Obtain executive leadership support for building a program and remediation of any determined risks.

• Develop an approved classification system for mobile devices and data.

Legal & HR Considerations

• Be able to delineate between employee owned and enterprise owned data on a personally owned device.

• Develop criteria for approving access and an agreement between enterprise and the user.

• What types of monitoring are allowed? • What if a wipe needs to be performed? • What about device backups? • What about discovery requests?

Security Considerations • Base your policies and procedures around your risk

assessment. • Require encryption for confidential data at rest and

in motion. • Include standards for authentication, resetting

passwords, and inactivity timeouts. • Prohibit the enrollment of “jailbroken” (rooted)

devices. • Be able to block devices identified as posing a

threat to the enterprise environment.

Security Considerations

• Build BYOD into your provisioning and termination processes.

• Segregate your network for BYOD devices if possible.

• Require mobile device software be updated.

IT Resource Considerations

• Evaluate your technology options and their benefits and limitations.

• If staffing allows, identify a skilled, dedicated IT resource to be your mobile device security SME.

• Identify how the program will be supported and by whom in IT.

• Define and communicate appropriate device support boundaries.

Training/Education Considerations • Make sure BYOD program participant(s) receive a copy of

the policy and understand the requirements, ramifications, and penalties of being enrolled in the BYOD program.

• Employee should sign a BYOD Usage Agreement (or digital Terms of Use agreement) that describe the voluntary nature of the program and the risks and expectations.

• At the end of an employment relationship, an organization should make clear before granting access that corporate provided devices must be returned, and BYOD devices must be wiped of all confidential data.

Financial Considerations • Stipends can help to drive employee adoption and

compliance. – $$$ get people’s attention no matter what their age. – Can help to avoid legal disputes over compensation for use of

a “personal” device. – Base level on payment on device type and/or job function(s).

• Negotiate carrier discounts as employee benefit. • CAN be less expensive than a corporate liable device, but

you have to consider all variables. – Are we adding significantly more devices that we will have to

pay stipends for? – What are the costs of a potential MDM solution?

Best Practices • Basic practices for success:

– A good policy to govern the overall program – A stipend policy to encourage adoption and compliance with

the “BYOD” policy. – A well implemented MDM solution.

• Lower budget options*: – Policy is still needed, but focused more on user behavior,

expectations, and liability waiver for “right to wipe.” • Difficult to enforce

– Microsoft ActiveSync (for Exchange shops) • Can provide some centralized management, but no selective wipe or

“sandboxing” capability. – Use of virtual desktop (VDI) or other mobile apps capable of

keeping data “sandboxed.”

The Next Wave…

Jason Cox, CISSP, CISM Information Security Office UNC Health Care System 601 N. Elm St. P.O. Box HP-5 High Point, NC 27261

Direct: (336) 878-6570 Cell: (336) 688-3598

Jason.Cox@unchealth.unc.edu http://www.highpointregional.com

http://www.regionalphysicians.com

Thank You!