Partners' take on BYOD security

BOSTON—“The only time I’ve had someone snap at me is when I suggested that we do something about BYOD [bring your own device],” said Jennings Aske, former chief information security and privacy officer for Partners HealthCare. Aske spoke at the Medical Informatics World Conference on April 29.

Now chief information officer for Nuance Communications, Aske only recently left Partners where he implemented improved privacy and security policies and procedures for personal devices.

Partners had policies about keeping tablets and smartphones secure but wasn’t doing any enforcement, he admitted. “The reality was we knew people weren’t securing their devices.”

Aske said he joined Partners in 2009 when the organization was involved in an ongoing federal investigation as well as the investigation of a specific incident that led to a corrective action plan.

Back in 2009, prohibiting corporate high-risk devices such as iPhones just created an incentive for people to bring their own, he said. “Within a year we had 15,000 iPhones connecting to the system.” Today, there are more than 20,000 smartphones and tablets in use, the majority of which are BYOD. Partners is the largest employer in Massachusetts with more than 80,000 workers connected to the email system.

BYOD will increase, Aske said, because organizations don’t have the budget to procure corporate-owned devices for their entire workforce, younger workers expect it and “mobility as a means of accessing information will be essential to the healthcare delivery model of the future.”

Making the shift to greater security of these devices was culturally challenging, Aske said. Someone even compared him to a Communist dictator. People perceived the new policy as an intrusion, the technical options weren’t well known to the organization, the entire healthcare industry has struggled with this problem and regulators have yet to publish guidance to help define the strategy.

In the process of developing a strategy, Aske and his team distilled use down to two primary use cases—devices used by a single user and devices used in a shared clinical setting by multiple individuals. The second use case also applies to patients given a tablet.

The greatest risk was the presence of confidential information stored and accessed in email, Aske said. Partners’ email platform contained native capabilities to require device encryption, inactivity passcodes, remote wipe and other technical security controls.

Aske said organizations should remember that employees are busy and trying to be productive. Meanwhile, “enterprise technology stinks and isn’t as good as the native capabilities of devices.”

Overall, Partners decided to establish baseline security measures and then add more mature and meaningful capabilities down the road. The baseline set of controls weren’t too strenuous but would pass regulatory muster, he said. All devices are encrypted and unencrypted devices are blocked. Users must use a five-character PIN which must be entered after 15 minutes of inactivity and changed every 90 days. After 10 failed login attempts, the organization will locally wipe the device and lost or stolen devices will be remotely wiped, erasing all content.

There was a lot of fear, uncertainty and doubt, Aske said, and the initial messaging didn’t account for that enough. However, he only received six complaints after the go live.

Meanwhile, Partners has a big software development shop, including its mobile EHR, Aske said. His team worked closely with the developers to make sure the apps being developed didn’t store data locally and were tested for vulnerabilities.

Partners’ strategy is not complete, Aske said. Several planned initiatives will build upon the first phase. A significant portion of BYOD Mac laptops need to be managed and the organization will require individuals using one to install the Casper agent which allows the IS department to ensure the devices are encrypted and will be remotely wiped if lost or stolen. Partners also just completed implementation of network access control to segment the network, preventing devices that are not managed from connecting to the core clinical/research environment, granting only an internet connection. While it was a “big, messy effort,” the pilot was very positive, he said. “Essentially, Partners is going to use NAC to segment the network into classes of assets being managed. People can enroll their device and download the agent that will run on the device, allowing it to “phone home” and confirm that it is a trusted device.

“This is a pretty solid strategy for getting some control over the assets,” he said. Partners has “gone from an organization that buried its head in the sand to one that was out in front telling its workforce the rules of the road.”

He cautioned against aiming for perfect security because it’s not possible. “It’s always about reducing risk to an acceptable level. You’re going to have some outliers and some things that are difficult to pin down but if you try to pin it all down you’re boiling the ocean and getting nothing done. Tackle what you can.”

Beth Walsh,

Editor

Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.