“Just by having an app on your device, (a cybercriminal) can determine your call history, take your contact list info, if they choose to.”
That’s how vulnerable smartphones, tablets and their mobile ilk actually are, Jim Routh said, and it’s not just the devices that chief information security officers like him have to worry about.
Making things even more complicated is the fact that some 1,800 cloud services exist today — in healthcare alone. What’s more, social networks are the most popular use for mobile devices, and cloud providers are better at collecting data than protecting it.
“You’re forced to consider different options and models based on new and emerging technology,” Routh, who is Aetna’s CISO, said during the HIMSS Media and Healthcare IT News Privacy and Security Forum in Boston, Sept. 8-9.
Perhaps nowhere more so than in crafting Bring-Your-Own-Device and social media policies.
[See also: 'Ethical hacker' calls BYOD a nightmare.]
Fits and starts
Two years ago Kaiser Permanente did not allow employees to bring their own devices to work.
“I got in trouble with our communications folks for saying that we have to look at BYOD because that’s the trend,” said Jason Zellmer, executive director of technology risk management at Kaiser.
Leap forward to today and things have changed, but only a bit.
“We are in pilot mode,” Zellmer explained. “The policy is still ‘no,' but it is something we’re piloting.”
Kaiser approached a BYOD policy methodically and practicably by trying to understand three things: What people want to use their own devices for, what risks are associated with doing so, and what exactly to permit employees to do with such hardware and applications.
Whereas Providence Health and Services does allow for BYOD, Chief Information Security Officer Michael Boyd described the Seattle-based health system's experience as being similar to Kaiser’s.
“We set the bar five years ago at applying security controls that were easy,” Boyd said. If the device and data can’t be encrypted, for instance, employees simply can't bring it.
That’s the kind of rule that Robert Thibadeau would likely call “a good policy.”
[See also: 3 tips to avoid BYOD breaches.]
Governing for obedience
As the chief scientist at enterprise security software vendor Wave Systems, Thibadeau said one of the most difficult problems in establishing BYOD policies is that IT will inevitably set parameters that employees disagree with, and in turn, those same users don’t exactly understand that IT shops are basically in the middle of finding their way through this.
“No jailbreaking — that’s a good policy. People will obey the good rules,” Thibadeau said. “You can’t govern without the consent of the governed.”
Other policies can be much trickier to enforce. Take the rule that employees can't send a text message with protected health information, for example.
It makes sense on paper, but Tom Walsh, president of his eponymous consulting company, described the real-life scenario in which a doctor tells a nurse to send lab results “not through e-mail, not a phone call,” but via text.
“One size doesn’t fit all,” Walsh said. “There is some risk; no business runs risk-free. We know that.”
SMAC
Beth Israel Deaconness Medical Center's CIO and acting CISO John Halamka, MD, said BYOD guidelines should also relate to social media policies, and others for hardware peripherals, such as USB drives.
At the very least “every endpoint, whatever it is, must be controlled and encrypted,” Halamka said. “There’s a lot to be said for bumping up policies.”
Routh thinks in terms of SMAC: social, mobile, analytics and cloud.
Those four are intertwined because social networks comprise the most popular apps on mobile devices, the amount of user behavior data is exponentially greater there than anywhere else, and that ultimately drives companies to analyze it.
As is the case with broader information security, Routh said understanding risk profiles of apps and devices, as well as the ways that employees use them, is essential to understanding which services to support.
“I’m promoting the use of social networks but recommending the ones with the least risk,” Routh said. “I get to enforce the right behavior.”
Which is exactly what providers such as Kaiser and Providence are aiming to accomplish when precisely etching out rules and guidelines that enable employees to be more productive while also protecting the organization and patient data.
“Obviously,” Walsh said, “it all starts with policy.”
