This article can also be found in the Premium Editorial Download "Information Security magazine: Security researchers on biometrics, insider threats, encryption and virtualization."
Download it now to read this article plus other related content.
EASIER SAID THAN DONE
"There are very few people here not impacted by electronic-protected health care information (EPHI). Because of how fluidly that information flows through our organization, it's next to impossible for us to create different classes of users," says Marti. "Any mobile device that accesses email has the possibility of containing EPHI. In that respect, a PDA is no different than a laptop or a desktop."
Integris secures data on BlackBerry devices with native BlackBerry OS authentication and encryption and protects Microsoft PDAs with Credant Mobile Guardian, a centrally managed enterprise encryption platform that installs an agent on each device. While the organization cannot realistically stop physicians from using personal smartphones, it can limit user privileges on all workstations and control ActiveSync and BlackBerry Enterprise Server (BES) access to prevent Integris data from being synchronized onto user-owned devices.
But doctors are eager to use iPhones for
| email. "They say, 'Oh, it's just email,' but I have to secure for the possibility that EPHI will live there," says Marti.
"We're getting five to seven requests a day for the iPhone, but I can't centrally manage, inventory or encrypt it today," he says. "By the time that I can, those doctors will have already replaced it with another latest and greatest. I'm in a loop where I can't respond until a device is a generation old."
Given that many new handhelds are not capable of protecting EPHI from day one, Marti believes that users must become more aware of information assets and their value. "People need to accept that protecting the information on mobile devices is part of patient care," he says. "More than anything, it comes down to creating a keen awareness of how powerful these devices can be: When you have a laptop in the palm of your hand, that presents a risk to your organization."
Analyst Gold finds that user education makes security policies far more effective. "Work with users to explain why certain things aren't allowed and they're more apt to accept limitations. It's not hard, but most IT staff doesn't think about [education as strategy]," he says. "Let users know why you don't consider that device up-to-snuff and the compromise you can offer. Most people are willing to move forward with what you offer, but if you just say no, they're going to try to get around you."
This was first published in November 2008