Experience the Eide Bailly Difference Bring Your Own Device (BYOD) Best Practices & Technologies Ross McKnight Sr. Network Engineer 406.867.4160 rmcknight@eidebailly.com
Agenda Best Practices for BYOD Polices HIPAA Considerations for BYOD Technical Options & Solutions for BYOD Questions & Answers
Disclaimer These seminar materials are intended to provide the seminar participants with guidance in technology planning matters. The materials do not constitute, and should not be treated as professional advice regarding the use of any particular technology planning technique. Every effort has been made to assure the accuracy of these materials. Eide Bailly LLP and the author do not assume responsibility for any individual's reliance upon the written or oral information provided during the seminar. Seminar participants should independently verify all statements made before applying them to a particular fact situation, and should independently determine the technology and business consequences of any particular technology planning technique before recommending the technique to a client or implementing it on the client's behalf.
Best Practices for BYOD Polices Challenges of Bring Your Own Device (BYOD) policies are not all technical Your organization needs to define how it wants to enable mobile access to ephi Use of organization owned and personal devices may be appropriate Employees sometimes object to the remote management requirements for their personal devices It is critical that BYOD polices and technical safeguards include the same management capabilities as you have for organization owned and internal devices!
Best Practices for BYOD Polices The scope of your BYOD policies should include: Identification of what devices are allowed: Types and Platforms Specific security policies that will be enforced: PINs, Remote Wipe / Disable, Encryption Technical Support Policies: Your IT team can t support everything Specific applications available for BYOD access Policies on who will be granted BYOD access Sanctions and consequences for violation of BYOD policies
HIPAA Considerations for BYOD BYOD and all mobile devices must comply with the same internal access policies and HIPAA safeguards. Key factors for effective BYOD policies are to: 1. Understanding your risks 2. Managing personal devices exactly like organization owned devices The Office of the National Coordinator for Health Information Technology (ONC) has developed a five step process for Mobile Device Privacy & Security Step 1 - Decide Step 2 - Assess Step 3 - Identify Step 4 - Develop, Document & Implement Step 5 - Train Source: http://www.healthit.gov/providers-professionals/five-steps-organizations-can-takemanage-mobile-devices-used-health-care-pro
Step 1 - Decide How & where will mobile devices be used? Key Decisions: Will mobile devices be used to access your EHR (or other systems containing ephi)? Will mobile devices be used to transmit ephi? (Examples: email and texting) Will mobile devices be allowed to locally store ephi? Common Risks & Vulnerabilities: Lost or stolen mobile devices Malware & Viruses Unintentional ephi disclosure through shared devices Use of unsecured networks
Step 2 - Assess Conduct a risk analysis for mobile devices Risk Analysis Scope: Identify specific risks to your organization Determined required safeguards, policies & procedures Includes organization owed and personal devices Documentation Guidelines: Identification of specific mobile devices with access to ephi Specific information and systems accessed by mobile devices Approval processes for obtaining mobile access to ephi
Step 3 - Identify Identify your mobile device risk management strategy Risk Management Strategies May Include: Device Password Policies Encryption (Network & Storage) Remote Wiping and / or Disabling Disable Public File Sharing Use of Firewalls Use of Security / Anti-Virus Software Educating User on the Importance of Maintaining Physical Control of Their Devices Wiping All Data When Discarding Devices All safeguards should apply to both organization owned and personal devices.
Step 4 - Develop, Document & Implement Your policies & safeguards for mobile devices Implement Your Mobile Device Polices & Safeguards, Including: Mobile Device Management Tool(s) BYOD Policies Polices Restricting Use of Mobile Devices Security Settings For Mobile Devices Information Storage on Mobile Devices Sanctions For Misuse of Mobile Devices Remote Wipe / Disable Capabilities User Training Program
Step 5 - Train Mobile device security & privacy awareness training Training Scope: Awareness of risks & threats associated with mobile devices Review of the organizations mobile device policies & procedures: e.g. All content developed during Step 4 Review of common mistakes when using mobile devices Training Strategies: Integrate mobile device security & privacy awareness training into your overall HIPAA training program New hire training Annual reviews and reminder training
Technical Options & Solutions for BYOD There are currently 2 major types of players in the Mobile Device Management (MDM) market Traditional MDM vendors that have focused on MDM functionality from the beginning MobileIron Maas360 AirWatch Good Technologies Security companies that are expanding their offerings Symantec Mcafee Sophos
Technical Options & Solutions for BYOD On-Premise vs. Cloud Based Some vendors offer both methods, some only offer one Pay attention to feature sets if a product offers cloud based, software as a service (SaaS) model as well as an on-premise model. They are often very different in the functionality they provide and in licensing models. Differing security models Some companies focus primarily on maintaining the factory end-user experience: light handed Others provide a potentially more secure model by utilizing data segregation: heavy handed Security models and implementation can be influenced by device type: i.e. not all devices types will implement policies in the same way
Solution Quick Comparison MobileIron MaaS360 by Fiberlink AirWatch Enterprise Mobility Management Symantec Mobile Management Suite Sophos Mobile Control Citrix XenMobile Good for Enterprise On premises Yes No Yes Yes Yes Yes Yes Cloud/SaaS Yes Yes Yes Yes Yes (limited) Yes No ios Yes Yes Yes Yes Yes Yes Yes Android Yes Yes Yes Yes Yes Yes Yes Windows Phons Yes Yes Yes Yes Yes Yes Yes BlackBerry Yes Yes Yes Yes Yes (on Premise) Yes Requires BoxTone for Good Password reset Yes Yes Yes Yes Yes Yes Yes Remote device wipe Yes Yes Yes Yes Yes Yes Yes Selective wipe Yes Yes Yes Yes Yes Yes Remote lock Yes Yes Yes Yes Yes Yes Yes Configuration monitoring/auditing Yes Yes Yes Yes Yes Yes Yes Automated provisioning/enrollment Yes Yes Yes Yes Yes Yes Yes User self-service app delivery Yes Yes Yes Yes Yes Yes Yes Full-featured enterprise app store Yes Yes Yes Yes Yes Yes Yes App inventory tracking Yes Yes Yes Yes Yes Yes Yes App usage monitoring Yes No Yes Yes, using App Center Yes Application blacklisting/whitelisting Yes Yes Yes Yes Yes Yes Yes Requires Good AppCentral Device compromise detection (jailbreak/rooting) Yes Yes Yes Yes (from wrapped apps and via MDM and MAM agents) Yes Yes Yes Device-level encryption Yes Yes Yes Yes Yes (Sophos Mobile Encryption) Yes Yes Malware detection No; offers third party integration Yes Yes, via App Reputation Scanning for Android and integrations with F-Secure and others Yes Yes No No Service monitoring Yes Yes Yes No Yes Yes Real-time dashboards Yes Yes Yes Yes Yes Yes Yes Usage monitoring Yes Yes Yes Yes Yes No Password protection Yes Yes Yes Yes Yes Yes Yes Set VPN, Wi-Fi, APN, proxy/gateway settings Yes Yes Yes Yes Yes Yes, for ios and for Android via Boxtone/3LM
Questions & Answers Feel free to contact me: Ross McKnight Sr. Network Engineer 406.867.4160 rmcknight@eidebailly.com