- Endpoint protection and bring-your-own-device (BYOD) raise the stakes for mobility as a health data security challenges healthcare organizations. Storing protected health information (PHI) on a mobile device for any length of time puts that data at risk, highlighting the need for endpoint security when data is stored anywhere outside the data center.
Developers of mobile device management (MDM) and enterprise mobility management (EMM) solutions have attempted to remedy much of the risk involved with enterprise mobile devices since the consumerization of IT pushed users to utilize mobile devices to improve work productivity.
As mobile devices became more sophisticated, developers have added features to EMM solutions to counteract the possible security vulnerabilities of taking data out of the secure data center and accessing it on a mobile device. MDM installs protective software on endpoint devices, while mobile application management (MAM), mobile content management (MCM), and several other features were added as needed.
Adding new features to EMM solutions has proved successful, but as the solutions grow bigger a new approach becomes necessary. Currently, many EMM features overlap creating redundancies, which consume valuable infrastructure and device space, and can be difficult to manage, especially for smaller IT departments. Virtual mobile infrastructure (VMI) is likely the answer to the common problems facing EMM solutions.
VMI is poised to take the place of traditional EMM solutions by using virtualization to route mobile OSs to mobile devices. Virtual desktop infrastructure (VDI) uses the same technology to route desktop OSs to mobile devices. Routing desktop OSs to mobile devices can sometimes cause functionality issues when apps designed for desktops don’t translate well onto mobile devices. VMI relies on container technology and virtual gateways to give users access to an entirely separate device within their device.
“VMI comes out on the coattails of the MDM industry trying to bring a new approach, to have this blackberry-like contained experience for work data, but keeping the personal side of your iPhone or Android device purely to yourself,” Sinan Eren, Vice President of Avast Mobile Enterprise, told HITinfrastructure.com. “This keeps IT happy, while at the same time protecting your privacy and liberty.”
“Enterprise mobility should not retain any corporate data or healthcare data on the mobile devices and offload everything to the infrastructure and the server side,” the enterprise mobility expert continued. “VMI offers an unconstrained, native mobile experience while users access it, but does not run the risk and liability of carrying the data around with you in your pocket risking losing the mobile device.”
VMI and HIPAA compliance
HIPAA compliance makes healthcare distinct from other industries regarding IT infrastructure. Healthcare organizations require mobility solutions that do not put PHI at risk, increasingly a challenge as BYOD initiatives have emerged.
“VMI is an approach we feel strongly about especially when HIPAA compliance is a requirement for an organization,” Eren said. “It’s the best of both worlds; you get a mobile look and experience while the VMI solution complies with HIPAA regulations by keeping the data always within the parameters of the organization.”
Eren cited the NSA mobility compatibility package which has many similarities to HIPAA as a starting point for building a VMI solution that met healthcare compliance needs. He noted that “suggested approaches were, getting access to data in a non-caching, non-storing fashion. Web mail for example is one of the oldest technologies that does not store any formation at the end device, somewhat enabling mobility.”
Technologies with the same “non-caching” principles as VMI, such as webmail, are already in use. However, the problem is those applications were not made for mobile devices.
“The application did not feel native,” Eren found. “The main application was a web page that didn’t get cached, but for all your pinches, zooms, scrolls, and touches, there was a lot of friction. We took the NSA guidelines as a core tenet to look into a way to bring email, document and storage applications to mobile, upholding the, ‘no data at the end’ device principle. The approach lead to us virtualizing mobile apps on the infrastructure side, and streaming to the end device.”
VMI lightens the health IT infrastructure load by removing the need to secure each individual device. Because no data is stored on the devices, there is no reason to waste infrastructure resources protecting the device. VMI is secure by design, making it ideal for PHI and EHRs.
“You have the HIPAA compliance that comes through having a web interface- like approach; essentially everything is on the server side of things,” Eren explained. “You access your email, your EHRs, charts, x-rays, and medical imaging, but these are all done through native feeling mobile apps, while all the data is still resident on the hospital network and the hospital data center.”
How does VMI fit in with current healthcare environments?
Healthcare organizations are already using Citrix and VMware VDI solutions to mobilize desktops, and many healthcare professionals are using tablets to access EHRs. Eren predicts that it is only a matter of time before organizations completely shift from conventional legacy desktop applications and desktop platforms to a mobile environment, which he believes is also the answer to HIPAA compliance.
“By nature we take a similar approach to the medical profession itself; VMI has many practical similarities with the medical field,” Eren said.
“For example, we treat our VMI sessions almost like medical instruments,” he continued. “We assume that an endpoint device is untrusted at best, especially in a BYOD situation, and compromised at worst; we assume that it’s a contaminated area. Like a single-use medical instrument, we create a session for the particular application that the professional needs to access, like an EHR application. We create a single disposable session, deliver the application to the endpoint, and when the medical professional is done interacting with the application, that session is completely disposed.”
Will VMI replace EMM?
VMI takes a completely different approach to enterprise mobility, one that declutters the management process and gives organizations a better way to govern data beyond wiping compromised devices.
“We run into a lot of challenges initially implementing a similar MDM technology,” Eren noted. “The MDM wipe request from an MDM or EMM solution is not reliable. The device could be off the network or out of battery, but in several cases there is always a control center you can access on an iOS or Android device without requiring a passcode where the device can be put in airplane mode.”
“Control center access gives you unhindered access to a device potentially holding very vital information and chances to hack into the device,” Eren added. “Whether leveraging weaknesses in touch ID, trying to brute force the password, or leveraging weaknesses in the boot loader, you can attack this device. MDM and EMM solutions will have no chance to send a wipe request because the device is basically off the network.”
EMM is not just one solution; it’s a mixture of many solutions that VMI seeks to combine and simplify. Many organizations need to invest in more than one solution for their mobility strategy to build a viable EMM solution.
“In the case of VMI, all of these things are merged into one,” Eren maintained. “It is all these EMM solutions put together in a turnkey way. You can access mobile apps that are virtualized and streamed from the data center while the data remains in the data center, but you also get MDM and MAM-like controls for virtualized applications.”
What is the current state of VMI in healthcare?
While it offers healthcare organizations many benefits, VMI is still very young. Healthcare EHR applications need to meet VMI standards in order for healthcare organizations to implement it.
“With other VMI player’s combined, we’re looking at a dozen to maybe two dozen VMI healthcare deployments at best,” Eren conceded. “It’s not just about VMI, mobility itself is relatively new. If you look at players like Epic and Cerner, their mobile applications have been behind the curve for the longest time, they’re just getting there. The whole feel, including the mobile backend and mobile applications, is relatively new to bring mobility and mobile apps into the healthcare vertical.”
That is likely to change as these enterprise EHR solutions mature.
“The better Epic gets and the better Cerner gets, the more deployments we will have with VMI as well. We’re kind of growing together. With better mobile applications, there will be more VMI deployments,” said Eren.
How can healthcare organizations prepare their infrastructure for VMI?
Virtualization has come a long way over the past several years. Eren credits companies like Docker with changing the game and moving hypervisor-based, heavy infrastructure requirements to more lightweight containers. Virtualization does not have many infrastructure requirements attached to it anymore.
“VMI solutions leverage lightweight containers,” Eren explained. “We can pack a lot more user density into a single use of hardware, therefore making it a lot cheaper than the traditional virtualization has required in the past.”
“Like many other advances in technology, virtualization is also going to a new abstraction layer,” Eren continued. “We require a lot less resources from the infrastructure, but also a lot less bandwidth from the wireless network. We achieve all this by using lightweight containers running on server-grade infrastructure.”
Virtualization solutions are designed to operate on top of existing virtualization platforms making them easier to deploy.
“VMI solutions deploy on top of whatever virtualization platform an organization already has,” Eren advised. “The Avast VMI solution is platform agnostic and doesn’t have any specific requirements for specific hardware or virtualization platforms. We built the technology in a royalty-free stack so you can deploy it if you have open stack, or if you already have VMware or Citrix virtualization environments.”
It’s important for virtualization solutions to be platform agnostic because virtualization delivers technology to users running on different platforms. Organizations looking to deploy VMI do not want to invest in additional solutions for compatibility issues.
“Any modern solution should be platform agnostic, and should deploy on an infrastructure without requiring an additional investment,” insisted Eren. “In that sense, most of our recommendations are not about infrastructure investment, but to help segment things off. We will have one public facing network leg and one internal leg, so it will be more about configuration rather than investment.”
VMI is the future of enterprise mobility — not just for healthcare, but for all industries. By removing endpoint data storage, VMI eliminates the security risks of endpoint attacks from data breaches or lost devices.