Bring Your Own Device (BYOD) Best Practices & Technologies

Similar documents
CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

October 2016 Issue 07/16

HIPAA Security and Privacy Policies & Procedures

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

Enterprise Mobility Management Buyers Guide

Protecting Health Information

MaaS360 Secure Productivity Suite

EXHIBIT A. - HIPAA Security Assessment Template -

1 Introduction Requirements Architecture Feature List... 3

Securing Wireless Mobile Devices. Lamaris Davis. East Carolina University 11/15/2013

BRING YOUR OWN DEVICE: POLICY CONSIDERATIONS

BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace

HELPFUL TIPS: MOBILE DEVICE SECURITY

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Securing Institutional Data in a Mobile World

Enterprise Mobile Management (EMM) Policies

Checklist: Credit Union Information Security and Privacy Policies

Bring Your Own Device

Managing Windows 8.1 Devices with XenMobile

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Best Practices to Make BYOD, CYOD and COPE Simple and Secure


Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

Threat and Vulnerability Assessment Tool

Purchase Intentions Spring 2013 EMEA

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

IBM Endpoint Manager. Francesco Censi WW ATG IEM consultant. Optimizing the World s Infrastructure Moscow, Oct 24 th, 2012

Annual Report on the Status of the Information Security Program

A practical guide to IT security

The Maximum Security Marriage: Mobile File Management is Necessary and Complementary to Mobile Device Management

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Implementing Your BYOD Mobility Strategy An IT Checklist and Guide

SECURITY & PRIVACY DOCUMENTATION

Introducing KASPERSKY ENDPOINT SECURITY FOR BUSINESS

Information Security BYOD Procedure

Sophos Mobile. user help. product version: 8.6

Department of Public Health O F S A N F R A N C I S C O

Securing BYOD With Network Access Control, a Case Study

Securing Health Data in a BYOD World

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

IBM MaaS360 (SaaS) 1.1 IBM MaaS360 Mobile Device Management (SaaS) and IBM MaaS360 Mobile Device Management (SaaS) Step up for existing customers

Accelerate GDPR compliance with the Microsoft Cloud Agustín Corredera

Securing Your Mobile Office

01.0 Policy Responsibilities and Oversight

Banner Health Information Security and Privacy Training Team. Morgan Raimo Paul Lockwood

Go mobile. Stay in control.

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

2016 BITGLASS, INC. mobile. solution brief

Healthcare Privacy and Security:

Microsoft 365 Business FAQs

Information Security Controls Policy

Securing Today s Mobile Workforce

Effective Strategies for Managing Cybersecurity Risks

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

GEARS + CounterACT. Advanced Compliance Enforcement for Healthcare. December 16, Presented by:

PrinterOn Mobile App MDM/MAM. Basic Integration Guide

A Mobile Security Checklist: The Top Ten Threats to Your Enterprise Today. White Paper

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Technical Evaluation Best Practices Guide

Vendor Security Questionnaire

Meeting the Meaningful Use Security and Privacy Measure

Bring Your Own Device (BYOD)

Compliance in 5 Steps

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Data Backup and Contingency Planning Procedure

Department of Public Health O F S A N F R A N C I S C O

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Secure Access for Microsoft Office 365 & SaaS Applications

Integrating HIPAA into Your Managed Care Compliance Program

BYOD. Transformation. Joe Leonard Director, Secure Networks. April 3, 2013

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

Internet of Things Toolkit for Small and Medium Businesses

The Device Has Left the Building

Securing the SMB Cloud Generation

Employee Security Awareness Training Program

Policy and Procedure: SDM Guidance for HIPAA Business Associates

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Healthcare Security Professional Roundtable. The Eighth National HIPAA Summit Monday, March 8, 2004

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Say Goodbye to Enterprise IT: Welcome to the Mobile First World. Sean Ginevan, Senior Director, Strategy Infosecurity Europe

Quick Heal Mobile Device Management. Available on

HIPAA Federal Security Rule H I P A A

IAM Security & Privacy Policies Scott Bradner

CipherCloud CASB+ Connector for ServiceNow

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

Multilayered technology, machine learning and human expertise working together to provide comprehensive security for all platforms.

Information Security Controls Policy

Symantec Endpoint Protection Mobile - Admin Guide v3.2.1 May 2018

What is a mobile protection product?

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

How to Build a Culture of Security

Multilayered technology, machine learning and human expertise working together to provide comprehensive security for all platforms.

A MULTILAYERED SECURITY APPROACH TO KEEPING HEALTHCARE DATA SECURE

ngenius Products in a GDPR Compliant Environment

Access to University Data Policy

Take Risks in Life, Not with Your Security

Intune Deployment at UHN Frequently Asked Questions Updated: December Overview

Transcription:

Experience the Eide Bailly Difference Bring Your Own Device (BYOD) Best Practices & Technologies Ross McKnight Sr. Network Engineer 406.867.4160 rmcknight@eidebailly.com

Agenda Best Practices for BYOD Polices HIPAA Considerations for BYOD Technical Options & Solutions for BYOD Questions & Answers

Disclaimer These seminar materials are intended to provide the seminar participants with guidance in technology planning matters. The materials do not constitute, and should not be treated as professional advice regarding the use of any particular technology planning technique. Every effort has been made to assure the accuracy of these materials. Eide Bailly LLP and the author do not assume responsibility for any individual's reliance upon the written or oral information provided during the seminar. Seminar participants should independently verify all statements made before applying them to a particular fact situation, and should independently determine the technology and business consequences of any particular technology planning technique before recommending the technique to a client or implementing it on the client's behalf.

Best Practices for BYOD Polices Challenges of Bring Your Own Device (BYOD) policies are not all technical Your organization needs to define how it wants to enable mobile access to ephi Use of organization owned and personal devices may be appropriate Employees sometimes object to the remote management requirements for their personal devices It is critical that BYOD polices and technical safeguards include the same management capabilities as you have for organization owned and internal devices!

Best Practices for BYOD Polices The scope of your BYOD policies should include: Identification of what devices are allowed: Types and Platforms Specific security policies that will be enforced: PINs, Remote Wipe / Disable, Encryption Technical Support Policies: Your IT team can t support everything Specific applications available for BYOD access Policies on who will be granted BYOD access Sanctions and consequences for violation of BYOD policies

HIPAA Considerations for BYOD BYOD and all mobile devices must comply with the same internal access policies and HIPAA safeguards. Key factors for effective BYOD policies are to: 1. Understanding your risks 2. Managing personal devices exactly like organization owned devices The Office of the National Coordinator for Health Information Technology (ONC) has developed a five step process for Mobile Device Privacy & Security Step 1 - Decide Step 2 - Assess Step 3 - Identify Step 4 - Develop, Document & Implement Step 5 - Train Source: http://www.healthit.gov/providers-professionals/five-steps-organizations-can-takemanage-mobile-devices-used-health-care-pro

Step 1 - Decide How & where will mobile devices be used? Key Decisions: Will mobile devices be used to access your EHR (or other systems containing ephi)? Will mobile devices be used to transmit ephi? (Examples: email and texting) Will mobile devices be allowed to locally store ephi? Common Risks & Vulnerabilities: Lost or stolen mobile devices Malware & Viruses Unintentional ephi disclosure through shared devices Use of unsecured networks

Step 2 - Assess Conduct a risk analysis for mobile devices Risk Analysis Scope: Identify specific risks to your organization Determined required safeguards, policies & procedures Includes organization owed and personal devices Documentation Guidelines: Identification of specific mobile devices with access to ephi Specific information and systems accessed by mobile devices Approval processes for obtaining mobile access to ephi

Step 3 - Identify Identify your mobile device risk management strategy Risk Management Strategies May Include: Device Password Policies Encryption (Network & Storage) Remote Wiping and / or Disabling Disable Public File Sharing Use of Firewalls Use of Security / Anti-Virus Software Educating User on the Importance of Maintaining Physical Control of Their Devices Wiping All Data When Discarding Devices All safeguards should apply to both organization owned and personal devices.

Step 4 - Develop, Document & Implement Your policies & safeguards for mobile devices Implement Your Mobile Device Polices & Safeguards, Including: Mobile Device Management Tool(s) BYOD Policies Polices Restricting Use of Mobile Devices Security Settings For Mobile Devices Information Storage on Mobile Devices Sanctions For Misuse of Mobile Devices Remote Wipe / Disable Capabilities User Training Program

Step 5 - Train Mobile device security & privacy awareness training Training Scope: Awareness of risks & threats associated with mobile devices Review of the organizations mobile device policies & procedures: e.g. All content developed during Step 4 Review of common mistakes when using mobile devices Training Strategies: Integrate mobile device security & privacy awareness training into your overall HIPAA training program New hire training Annual reviews and reminder training

Technical Options & Solutions for BYOD There are currently 2 major types of players in the Mobile Device Management (MDM) market Traditional MDM vendors that have focused on MDM functionality from the beginning MobileIron Maas360 AirWatch Good Technologies Security companies that are expanding their offerings Symantec Mcafee Sophos

Technical Options & Solutions for BYOD On-Premise vs. Cloud Based Some vendors offer both methods, some only offer one Pay attention to feature sets if a product offers cloud based, software as a service (SaaS) model as well as an on-premise model. They are often very different in the functionality they provide and in licensing models. Differing security models Some companies focus primarily on maintaining the factory end-user experience: light handed Others provide a potentially more secure model by utilizing data segregation: heavy handed Security models and implementation can be influenced by device type: i.e. not all devices types will implement policies in the same way

Solution Quick Comparison MobileIron MaaS360 by Fiberlink AirWatch Enterprise Mobility Management Symantec Mobile Management Suite Sophos Mobile Control Citrix XenMobile Good for Enterprise On premises Yes No Yes Yes Yes Yes Yes Cloud/SaaS Yes Yes Yes Yes Yes (limited) Yes No ios Yes Yes Yes Yes Yes Yes Yes Android Yes Yes Yes Yes Yes Yes Yes Windows Phons Yes Yes Yes Yes Yes Yes Yes BlackBerry Yes Yes Yes Yes Yes (on Premise) Yes Requires BoxTone for Good Password reset Yes Yes Yes Yes Yes Yes Yes Remote device wipe Yes Yes Yes Yes Yes Yes Yes Selective wipe Yes Yes Yes Yes Yes Yes Remote lock Yes Yes Yes Yes Yes Yes Yes Configuration monitoring/auditing Yes Yes Yes Yes Yes Yes Yes Automated provisioning/enrollment Yes Yes Yes Yes Yes Yes Yes User self-service app delivery Yes Yes Yes Yes Yes Yes Yes Full-featured enterprise app store Yes Yes Yes Yes Yes Yes Yes App inventory tracking Yes Yes Yes Yes Yes Yes Yes App usage monitoring Yes No Yes Yes, using App Center Yes Application blacklisting/whitelisting Yes Yes Yes Yes Yes Yes Yes Requires Good AppCentral Device compromise detection (jailbreak/rooting) Yes Yes Yes Yes (from wrapped apps and via MDM and MAM agents) Yes Yes Yes Device-level encryption Yes Yes Yes Yes Yes (Sophos Mobile Encryption) Yes Yes Malware detection No; offers third party integration Yes Yes, via App Reputation Scanning for Android and integrations with F-Secure and others Yes Yes No No Service monitoring Yes Yes Yes No Yes Yes Real-time dashboards Yes Yes Yes Yes Yes Yes Yes Usage monitoring Yes Yes Yes Yes Yes No Password protection Yes Yes Yes Yes Yes Yes Yes Set VPN, Wi-Fi, APN, proxy/gateway settings Yes Yes Yes Yes Yes Yes, for ios and for Android via Boxtone/3LM

Questions & Answers Feel free to contact me: Ross McKnight Sr. Network Engineer 406.867.4160 rmcknight@eidebailly.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback