Years ago, I worked for a large Fortune 500 healthcare company. Obviously this company was concerned about it's requirements under HIPAA - at the time cell phones were being used but they were not the same as today. Some had cameras, but many phones were simple flip phones without cameras. Because a camera is a way in which you can gather, capture and move data, the company was rightly concerned about the new "camera-phones" and instituted a policy restricting their use and/or possession on company grounds.
Can you imagine what the compliance rate would be on that policy today? I'm not certain you can purchase a new phone today without a camera. We may have to revert to the vintage electronics section of eBay to find such a dinosaur of technology. In today's healthcare environment, you have every single employee, from the doctor to the janitor, carrying not only one smart device, complete with camera, WIFI and the capability to instantly post the latest thought or photograph to Facebook, but it's likely some of these people have an iPad, some other tablet or small form factor laptop in their shirt pocket.
We can no longer dictate that no one have these devices. We have no effective administrative control that we can use to limit or restrict the presence of these devices - policies prohibiting something which has become woven into the very fabric of our culture would only be ignored. It's like prohibiting them from bringing in their shoes or wallet. The key point here - a large risk has become assimilated into the culture, so much so that we've crossed the point of prohibition. We only stand in front of this fast-moving train at our peril. If we are to be effective, we must learn how to jump on board this thing as it's moving and at least find some room in the driver's car to figure out a way of putting some controls in place.
As with anything else, our usual template of Information Security will suffice - we need a well-conceived set of administrative and technical controls - our policy, while still acknowledging that every living creature on the planet is organically attached to a smart device, must dictate that the user will follow the policy at risk of termination and permanent smart-phone-ectomy. This policy sets the table firmly for other controls - but why is this piece so important?
I have a tool that I am permanently attached to, that I take home with me, I use in the car, in the bathroom, it's my alarm clock, the way I check the news and the weather, the way I talk to my 14-year old, the thing that tells me when my favorite cigar goes on sale and lets me take notes or dictate. This list really can go on forever - just look through the app store and you'll find just about anything to meet your needs and help you make your day more efficient.
Because of the fact that this device is our constant companion, we tend to be more lax with it - we don't treat it like a work device. So we must force users to understand the importance of turning on their brains with respect to using the device. We must educate users on the risk of using the device and their responsibility to use it wisely. And we must put in some common sense controls which, while not prohibiting the usage of these devices, controls exactly what we want to control.
Today's solution to this problem is mobile security- some tool or agent which is installed on the device and phones home - the console can force a passcode (which means forcing encryption of the device), it can alert on devices which are out of compliance, let me know when the devices moves from place to place. It's a happy compromise - I can't prohibit it but I can restrict certain things and wipe the device if it's lost or stolen. I can force the thing to encrypt the data. And I can "sort-of" disable the device's camera.
As a security guy in charge of infosec for a hospital, that's really what I care most about. We cannot stop the train of mobile devices - we have to learn to get on-board and help steer away from our most critical asset - patient data.
No comments:
Post a Comment