Mobile security and your EMR on the Move.pdf · 2020-02-20 · • Jailbreaking can thwart...
Transcript of Mobile security and your EMR on the Move.pdf · 2020-02-20 · • Jailbreaking can thwart...
Mobile security and
your EMR
Presented by:
Shawn Tester &
Allen Cornwall
Date: October 14, 2011
Overview• General Security Challenges & best practices
• Mobile EMR interfaces
- EMR Access
- Today & Future
- Mobile Challenges
- Security Threats
- Encryption
- Perimeter
- Event Correlation
- Challenge of supporting mobile platforms
Leveraging Citrix to secure mobile access
Q&A
Best Practices
• Security Policies & Procedures
• Physical Security
• Password security
• User education & ongoing training
• Regular security Audits
• Security Event Management
Security challenges
• Rogue employees- the biggest threat
• Lost mobile devices
• Physical access/security
• *NO SHARING* of access
• Writing down of passwords
Mobile EMR interfaces
• Interfaces today:• CITRIX gateway
• VPN to Terminal Servers
• Interfaces of tomorrow…..Mobility!• Browser based
• App based on tablet / SmartPhone
The need for mobile access
• Providers on-call
• Emergency services
• Convenience
• Improved productivity and patient care
Mobile challenges
• The UNIQUE challenges of supporting mobile devices as part of your enterprise network
• (Who owns the devices?)
• Effective policies
• Encryption
• How do you manage loss & theft?• Jailbreaking can thwart encryption
• Securing the mobile data
Security Threats
• Web-based and network-based attacks.
• Malware
• Social engineering attacks.
• Resource and service availability abuse.
• Malicious and unintentional data loss.
• Attacks on the integrity of the device’s data.
Encryption
• Nothing new in the theory or benefits of encryption.
• Implementation has been challenging:
– Costly
– Time Consuming
– Unreliable
• Result: very few businesses encrypt data.
Why Encrypt Now?
• Regulatory compliance
• Best practices
• Data theft has become monumental
• Business risks greater than ever
• Solutions are more cost effective and
easier to use
Why Encrypt Now?
• Lost or stolen laptops cost their corporate
owners an average of $49,246.
– Costs associated with replacement, detection,
forensics, data breach, lost intellectual
property, lost productivity, and legal,
consulting and regulatory expenses.
• Source: Intel
Lost / Stolen Laptops
• According to the same study:
• A senior executive's notebook is valued at
$28,000, while a manager's notebook is
worth $61,000.
• Source: Intel
Perimeter Security
• A Firewall– Blocks access from outsiders looking in.
– Allows specific traffic (protocols) to pass through both in and out.
– Is unable to inspect and prevent malicious code from passing through.
– Cannot discern unauthorized data being sent out.
• A Firewall is no longer sufficient perimeter security.
Intrusion Prevention System (IPS)
• An IPS inspects traffic much
like a fingerprint and compares
it to other bad fingerprints to
reject traffic and alert.
Intrusion Prevention System (IPS)
• Just because it looks like a duck,
walks like a duck, and quacks like
a duck….doesn’t mean it’s a duck.
• An IPS uses behavioral techniques
to identify malicious activity.
Event Correlation
• Event Correlation is a technique for
making sense of a large number of events
and pinpointing the few events that are
really important in a mass of information.
• Information is fed from the log entries of
servers, operating systems, routers,
firewalls, IPS’s.
Event Correlation
• While a security engineer can deal with
dozens of events an automated system
looks at thousands of events.
• The benefits can be very real: more
efficient use of staff time and skills, as
well as the prevention of revenue loss
resulting from downtime.
Five Most Common Security
Mistakes by IT Personnel
• Connecting systems to the Internet before hardening them. (Failing to disable default accounts/passwords, and unnecessary services).
• Failing to patch & update systems in a timely fashion. • Using telnet and other unencrypted protocols for
managing systems, routers, firewalls, etc.• Failing to maintain and test backups.
• Misconfiguring security devices such as firewalls.
– Source: SANS Institute
Five Most Common Security
Mistakes by Executives
• Assigning untrained people to maintain security.
• Failing to understand the relationship of information security as primarily a business issue.
• Failing to deal with the operational aspects of security (physical security, training).
• Relying primarily on a firewall (dated technology).
• Failing to realize how much money their information and organizational reputations are worth.
– Source: SANS Institute
Managed Security
• Why Outsource Security?
– Difficult for a small business to maintain an
adequate level of expertise.
– More efficient / cost effective
– Better tools and greater expertise
Mobile security Best Practices• Standardize on a single platform for your organization.
• Have effective policies.
• Perform regular audits
• Tactical– Use Encryption
– Require Authentication
– Enable “Remote Wipe” capabilities
– Enable “Remote Lock” capabilities
– Control third party apps
– Set firewall policies specific to mobile devices
– Configure IPS to monitor mobile devices
– Use mobile AV apps
– Secure Bluetooth or disable if possible
Citrix as Mobile host- an
existing solution• Secure access gateway
– The Good• Uses Citrix
• Can be managed by corporate policy
• Protected by corporate Firewall
• Connections are proxied
– The Bad• Screen no optimized for mobile – there’s a lot of screen scrolling
• Keyboard on the iPad must be manually activated
• Keyboard takes up a lot of screen real estate.
Where Are We?
• Mobility is here & growing
• What & Who’s device?
• Security concerns need
to considered & addressed