Mobile security and

your EMR

Presented by:

Shawn Tester &

Allen Cornwall

Date: October 14, 2011

Overview• General Security Challenges & best practices

• Mobile EMR interfaces

- EMR Access

- Today & Future

- Mobile Challenges

- Security Threats

- Encryption

- Perimeter

- Event Correlation

- Challenge of supporting mobile platforms

Leveraging Citrix to secure mobile access

Q&A

Best Practices

• Security Policies & Procedures

• Physical Security

• Password security

• User education & ongoing training

• Regular security Audits

• Security Event Management

Security challenges

• Rogue employees- the biggest threat

• Lost mobile devices

• Physical access/security

• *NO SHARING* of access

• Writing down of passwords

Mobile EMR interfaces

• Interfaces today:• CITRIX gateway

• VPN to Terminal Servers

• Interfaces of tomorrow…..Mobility!• Browser based

• App based on tablet / SmartPhone

The need for mobile access

• Providers on-call

• Emergency services

• Convenience

• Improved productivity and patient care

Mobile challenges

• The UNIQUE challenges of supporting mobile devices as part of your enterprise network

• (Who owns the devices?)

• Effective policies

• Encryption

• How do you manage loss & theft?• Jailbreaking can thwart encryption

• Securing the mobile data

Security Threats

• Web-based and network-based attacks.

• Malware

• Social engineering attacks.

• Resource and service availability abuse.

• Malicious and unintentional data loss.

• Attacks on the integrity of the device’s data.

Encryption

• Nothing new in the theory or benefits of encryption.

• Implementation has been challenging:

– Costly

– Time Consuming

– Unreliable

• Result: very few businesses encrypt data.

Why Encrypt Now?

• Regulatory compliance

• Best practices

• Data theft has become monumental

• Business risks greater than ever

• Solutions are more cost effective and

easier to use

Why Encrypt Now?

• Lost or stolen laptops cost their corporate

owners an average of $49,246.

– Costs associated with replacement, detection,

forensics, data breach, lost intellectual

property, lost productivity, and legal,

consulting and regulatory expenses.

• Source: Intel

Lost / Stolen Laptops

• According to the same study:

• A senior executive's notebook is valued at

$28,000, while a manager's notebook is

worth $61,000.

• Source: Intel

Perimeter Security

• A Firewall– Blocks access from outsiders looking in.

– Allows specific traffic (protocols) to pass through both in and out.

– Is unable to inspect and prevent malicious code from passing through.

– Cannot discern unauthorized data being sent out.

• A Firewall is no longer sufficient perimeter security.

Intrusion Prevention System (IPS)

• An IPS inspects traffic much

like a fingerprint and compares

it to other bad fingerprints to

reject traffic and alert.

Intrusion Prevention System (IPS)

• Just because it looks like a duck,

walks like a duck, and quacks like

a duck….doesn’t mean it’s a duck.

• An IPS uses behavioral techniques

to identify malicious activity.

Event Correlation

• Event Correlation is a technique for

making sense of a large number of events

and pinpointing the few events that are

really important in a mass of information.

• Information is fed from the log entries of

servers, operating systems, routers,

firewalls, IPS’s.

Event Correlation

• While a security engineer can deal with

dozens of events an automated system

looks at thousands of events.

• The benefits can be very real: more

efficient use of staff time and skills, as

well as the prevention of revenue loss

resulting from downtime.

Five Most Common Security

Mistakes by IT Personnel

• Connecting systems to the Internet before hardening them. (Failing to disable default accounts/passwords, and unnecessary services).

• Failing to patch & update systems in a timely fashion. • Using telnet and other unencrypted protocols for

managing systems, routers, firewalls, etc.• Failing to maintain and test backups.

• Misconfiguring security devices such as firewalls.

– Source: SANS Institute

Five Most Common Security

Mistakes by Executives

• Assigning untrained people to maintain security.

• Failing to understand the relationship of information security as primarily a business issue.

• Failing to deal with the operational aspects of security (physical security, training).

• Relying primarily on a firewall (dated technology).

• Failing to realize how much money their information and organizational reputations are worth.

– Source: SANS Institute

Managed Security

• Why Outsource Security?

– Difficult for a small business to maintain an

adequate level of expertise.

– More efficient / cost effective

– Better tools and greater expertise

Mobile security Best Practices• Standardize on a single platform for your organization.

• Have effective policies.

• Perform regular audits

• Tactical– Use Encryption

– Require Authentication

– Enable “Remote Wipe” capabilities

– Enable “Remote Lock” capabilities

– Control third party apps

– Set firewall policies specific to mobile devices

– Configure IPS to monitor mobile devices

– Use mobile AV apps

– Secure Bluetooth or disable if possible

Citrix as Mobile host- an

existing solution• Secure access gateway

– The Good• Uses Citrix

• Can be managed by corporate policy

• Protected by corporate Firewall

• Connections are proxied

– The Bad• Screen no optimized for mobile – there’s a lot of screen scrolling

• Keyboard on the iPad must be manually activated

• Keyboard takes up a lot of screen real estate.

Where Are We?

• Mobility is here & growing

• What & Who’s device?

• Security concerns need

to considered & addressed

Questions?

acornwall@syseng.com

207.553.1517