Webinar: Leverage your mobile framework for data security

Employees are increasingly bringing their personal mobile devices into the workplace, and these devices must be secured for use in the health IT environment, according to Dan Dearing, group director of mobile strategies at BoxTone, a mobile service management software provider in Columbia, Md., who addressed a webinar May 24 hosted by the Healthcare Information & Management Systems Society (HIMSS).

The webinar, “iPhones, iPads and HIPAA Compliance: A How To Guide,” focused on best practices for choosing a HIPAA-compliant mobile device platform and instituting an IT mobility management framework.

Mobile devices can bring utility to an entire healthcare enterprise and are already changing how people do their everyday job. “But you have to think about support and security,” said Dearing.

According to Dearing, issues to consider when choosing a mobile device to use within an enterprise are:

• Native data protection;
• Whether the device has secure and flexible application distribution; and
• Native integration with an existing IT infrastructure.

Instituting a mobility management strategy can be a challenge, he said. “An enterprise mobility management framework produces a single point of control to proactively manage the entire mobile lifecycle for today and the future,” Dearing remarked, providing the audience with seven steps to attain a mobile management framework:

1. Adopt a mobile management platform. Mobility is key to the entire organization and diversity across devices and apps pushes up the complexity of managing them. Dearing recommended adopting a modular platform that is extensible and can allow new capabilities, group different classes of users and establishing appropriate policies.

2. Organize for a mix of employee-liable devices. As more workers use their personal devices for work, an organization should create a formal procedure to allow employees' mobile devices and create a formal policy and enforce the signed agreements. In addition, organizations should use security software that controls electronic personal health information (ePHI).

3. Organize for tablets. Applications are driving demand and tablets present new opportunities for point-of-use. However, these devices are more akin to smartphones than laptops, Dearing said. He recommended tapping into existing mobile IT specialists to support the devices and providing cross-operating-system tools and monitoring.

4. Organize for more than two devices per mobilized employee. Different mobile devices are used for disparate tasks and tablets will not necessarily replace laptops, especially for content creation.

5. Organize for more mobile apps. Expect strong demands for apps, and deploy an app catalog to ease management and leveraging device security for internal apps and native security for third-party apps.

6. Organize for two or more support issues per mobile user. Industry benchmarks show an average organization has two to four issues per mobile user per year and that service desk teams typically have zero visibility into device statuses, Dearing noted. He suggested employing a tiered mobility support strategy while deploying automated support management.

7. Organize for managing risk. “Mobile security for healthcare is complex,” Dearing said. The ePHI and device universes are broad, but through a mix of a mobile management platform, security processes and native security enforcement, an organization should be able to reach HIPAA compliance, he said. This includes authentication and authorization, access control, data protection and malware protection as well as automated compliance management (which will be key for HIPAA, according to Dearing).

“Technology is only one part [of the security process],” he concluded, and organizations must also assess the people within the organization as well as the security processes.