- Over the past several years, mobile device management strategies have evolved as healthcare organizations figure out the best way to manage their mobile devices. Implementing mobile device security without infringing on users’ personal data or giving devices too much freedom to access potentially threatening data is heavy consideration entities need to figure out when coming up with a device management strategy.
The lines between managing actual devices and managing applications have blurred over the past several years, according to MOBI Senior Vice President Chris Koeneman. Almost all MDM providers have an application management component.
“It's more important to secure the app over the device,” Koeneman told HITInfrastrucutre.com. “If you're securing the app, you're securing access to that application. The device is more difficult to secure, especially in a bring-your-own-device (BYOD) environment.”
“When securing the device, you're trying to govern the use of that device,” he continued. “When you're securing the app, you're securing that individual app no matter what device is accessing it.”
There still is a place for mobile application management (MAM) solutions, but many MDM providers are including MAM in their offerings because of the importance of securing applications.
Healthcare organizations have a variety of different users who may require different mobile devices. The trend towards BYOD also proves to be a challenge for organizations when they’re planning out their mobile strategies.
Many entities have contract workers or doctors that work out of several different hospitals. These types of users will often choose to bring their own device so they can consistently use the same device no matter where they are. BYOD also saves organizations money because they don’t have to buy expensive devices for each worker.
However, BYOD has restrictions that healthcare organizations may consider too much of a hassle to include it as a part of their device management strategy. Entities must decide beforehand how to handle key security issues.
What are the rights of the healthcare institution when a BYOD user is no longer associated with the organization? What are the organization’s rights with wiping information off of a device?
“The organization needs to make sure that corporate information is off the device,” Koenman advised. ”But the organization doesn’t own that device. What are the organization’s rights to do that?”
“The law is not clear on BYOD and it's inconsistent state by state,” he continued. “We've actually seen healthcare trend away from BYOD because healthcare institutions never save as much money as they thought they would on BYOD. Unless they own that device, they don't know what their rights are on wiping information off of that device.”
BYOD devices also have a higher risk of shadow IT, which can put the network at risk.
Shadow IT is when users access PHI on an unauthorized personal device or third-party application. Outdated and unsupported apps on personal devices can potentially infect the network if the user accesses corporate data.
“Shadow IT is one of the reasons why we need to focus more on application security rather than device security,” said Koeneman. “One of the ways to deal with shadow IT is to defend the applications. Even if a user does create some sort of shadow IT, they're still going to have to get through the security that’s built around the application.”
Koeneman suggested that organizations consider strategies where they own the device. That way entities don’t have to worry about device ownership and what rights they have when information needs to be removed from a user’s personal device. Koeneman added that organizations research their options before implementing a policy.
“It’s important to create an opt-in option for the employee,” said Koeneman. “It's fairly easy to research and it can be implemented easily, and it shouldn’t be overlooked. Don't put that project on the backburner. Once users agree to it they can have a corporate device.”
Organizations should also look into HIPAA-compliant solutions and not just trust that the mobility management solution they choose is HIPAA compliant.
“Hire a HIPAA consultant to go through the solution to determine whether it's compliant or not,” Koeneman advised. “Don't rely on the vendor to tell you that it's compliant because they're going tell you it's compliant because it can be configured in compliance. But it can also be configured out of compliance.”
Organizations need to have the right to isolate mobile devices and cut off access at any time. Developing a strategy that gives the organizations the right to control devices and its applications will reduce the security risk of mobile devices.