In this unit, we discussed the growing trend of BYOD (Bring your own device) and some of the challenges associated with this. There has been some talk in the news in the past concerning users, their own devices, and security concerns. For example, in health care, many doctors prefer to use a tablet for electronic medical records, and many are using their own devices to connect to web based services. What concerns could there be with HIPAA, and how could they be mitigated?
Another example is government workers. President Obama is the first US President to carry a Blackberry (why not an iPhone?), and former Secretary of State Hillary Clinton chose to use her own device and email, thus none of her communications in her official capacity are available for public review. What are some concerns with these trends, and how have they / could they be mitigated?
I think the biggest concern is that the business or agency, without any contractual language, has no control over that device. With a completely open “BYOD” policy an employee could bring their tablet running an unpatched Windows 7 and browse an old version of Internet Explorer and store data without any antivirus protection at all.
The best way to mitigate this would be to have specific language in employee manuals/contracts that states that if you’re accessing data owned and controlled by the employer then that device is now subject to the same set of controls that an employer owned system would have. For example, your tablet would have to run the most updated Windows 10 with the same antivirus that the employer uses across their enterprise. A more effective method might be for the employer to provide a device that’s owned and maintained by the employer but fits the form factor desired by the employee. The employee loses the flexibility of being able to determine if they have a Microsoft Surface tablet or a HP tablet, but it allows the employer a level of control around the device and a knowledge of what’s consuming sensitive data. The obvious restriction on this is that not all employers have the resources to provide any device that an employee wants.
Darin,
I think the idea of contracts/manuals/policy are good, but it really doesn’t account for negligence or outright malicious intent of the user. It ensures that someone is held liable for a breach, but does not address the complexity of maintaining a secured BYOD infrastructure. Mobile devices comes in all shapes and sizes, different OS, and version of OS. Say for example the Apple IOS 10.0.1 that was released recently, and a couple weeks later it was exposed by a zero-day vulnerability. Imagine all the users that had updated their Iphones as soon as they were released and used it to access corporate resources. During this time, the company was still in the process of testing the IOS 10.o.1. In the traditional sense, these updates and patches are tested by the company before it is disseminated to their devices (laptaps and company-owned devices). With BYOD, the control is very limited.
The second part is if the company provides these devices for the people who needs it, then the cost will start to rack up. Everybody wants convenience and giving them another device that they have to carry around is sort of counter-intuitive. Like you said, policies and guidelines play an important role in BYOD and some of the things to consider for mitigation are things like back-end firewalls, access controls, and defense in-depth.
BYOD plays important role in delivering convenient services to end users’ satisfaction while trying to make sure to keeping everything secured. In medical field HIPPA rules have high security requirements related to Electronic Medical Record and keeping all the data undisclosed by BYOD. One example of disclosure would include situation where BYOD user could use his/her device to take a picture of EMR system displaying patient’s records and then accidentally uploading it to social media. Also, if BYOD has no protection and has malware on it, all work related content could be compromised and disclosed to public.
Government workers have even greater exposure to compromise and attacks given the nature of data content and email communications that is very valuable to intruders. Clinton’s emails are one of examples of huge compromise of simply because email server was not part of TOS mandatory security controls.
Some of BYOD security measures could include making sure that device has pin code to lock the screen, GPS locator and content eraser enabled so that all data is wiped out in case if device gets lost or stolen. Also, if BYOD is being used in corporate network then it would be best practice to have device or user based authentication such as EAP-MAS-CHAP protocol. Moreover, it would be best to isolate BYOD devices based on type and nature of use by segregating traffic using VLANs with their own security and DLP controls.
Advanced security mitigation for BYOD is well-known MDM (Mobile Device Management) solution, which would enable total or partial control of the entire device or just portion of is content such as Email, especially if communication and content has government’s confidential data. WebAuth protocol is also great solution to pre-authorize device before it is even allowed to be used in the network, which would also require consent of Acceptable Use Policy for legal protection.
Ruslan,
Good examples for both questions. In particular, I’ve encountered MDM when I worked for a company that used G Suite (Gmail) for company correspondence. I toyed around with the idea of adding my company email to my personal Android device, but quickly dropped that idea when I realized I would be forced to accept that the company was then granted permission to remotely wipe my device.
No way!
I think the most daunting obstacle facing BYOD is for the company to manage sensitive information that are on devices that aren’t company property. When users are suspected of improper behavior on company machines, it is a simple matter to get on that system and investigate. However, if the device isn’t owned by the company, getting access to it could require legal action.
Another issue is the management of the information on the device. A business can implement an array of security measures on devices within its facilities and as a result, is intimately familiar with the security of the information on these devices. On the other hand, a company has no idea how secure an employee’s device is and no way of tracking the activity on the device. To remedy this issue, the company can get antivirus programs that are mobile friendly to install of BYOD devices, but these technologies are fairly immature and increase expenses.
In terms of government officials using their own devices, the scandals surrounding Hillary Clinton’s private email server show how complicated this issue can get. When government information that is heavily regulated is concerned, BYOD is not a safe option. Until you can guarantee complete access to all pertinent work data on a personal device without also accessing the personal data (or maybe, if a user wants BYOD, they forfeit their right to privacy on that device? Definitely a controversial issue.), BYOD programs have no business in organizations that deal with highly sensitive data
The idea of BYOD terrifies me in general, but BYOD in organizations that deal with highly sensitive data is even more terrifying. I agree that the current best solution to BYOD is that the individual forfeits any legal right to the data on the device and only has a right to the physical device itself. I think that an organization has to be able to load its own security software onto the device and have full right to any controls surrounding the device. These are things that I personally would not be ok with and therefore I would not participate in the BYOD program if it was offered at my work. I don’t really see the upside to it from an employee’s perspective. Until we can figure out a better system that allows the data to be secure while not having the users forfeit rights to the personal data on the device and personal agency with the device, I do not think it is a very viable option for organizations with highly sensitive data.
There are a lot of security risks of letting employee store sensitive data in thier personal devices ,what happens if a device is lost, stolen or infected with malware? A company has less control over the devices it doesn’t own, making it easier for sensitive data to be compromised. Company-issued devices usually come with an acceptable-use policy, but it’s a lot more difficult for IT to tell workers what is acceptable on their own smartphones and tablets. Plus, when an employee leaves the company, his device leaves too, and the organization might be unable to reclaim sensitive data.
In case of HIPAA patient privacy is often the first thing people bring to mind when thinking of the potential downsides of using mobile devices in health care industry.Failure to properly implement a BYOD program for your hospital or healthcare facility can be extremely costly because the HITECH Act has allowed enforcement of HIPAA in the form of strict penalties,
An application-layer firewall and unified threat management can help secure a BYOD strategy at your facility, once these devices are appropriately synced with your existing security systems. Make these security measures mandatory for any employees taking part in BYOD
Most important setting guidelines and educating staff will help assist your IT department in implementing any necessary security measures on your staff’s personal mobile device. Clearly define what applications cannot be used, what devices should be connecting to when in the office, what activities are prohibited, what information is too sensitive to transmit etc..BYOD should also be built with cryptographic erase mechanism to let all data to be erased in case device gets lost
https://getreferralmd.com/2013/12/byod-issues-healthcare/
Concerns with HIPPA are possible breaches especiallywhen healthcare providers use their personal devices to share personal health information (PHI) with another provider, e.g the primary care physician sharing prescription information with the pharmacist or the X-ray tech showing an MRI to a physician. Also patient information is shared with third party vendors who are outsourced to analys data provided e.g xrays, blood samples.
Storing ePHI data is also a concern especially if lost or stolen or if compromised due to weak passwords.
Mitigation solutions would be encryption which can protect patient information as it’s transmitted around. To this end device encryption should be a part of the health providers BYOD policy and should be enforced.
Another solution would be assigning a unique PIN for staff accessing patient data with a mobile device BYOD users should only have access to an EHR system using a strict authentication process (i.e. strong passwords, smartcards, tokens).
Devices should also be audited regularly to ensure compliance.
There should also be a set criteria for levels of access to infrastructure and systems for each employee. Security software on the BOYD devices should also be updated regularly.
There should be a method of remote wiping the device should it be lost or stolen and finally have a password policy that can check that employees are using a strong password for the device and all applications, and that passwords are changed on a regular basis
As government workers also access sensitive information the same security measures can be applied to mitigate breaches. The main thing is government needs to come up with a strong policy that can address BYOD as it’s becoming quite common due to convenience and cost saving measures.
A key thing with government unlike health sector not everyone needs access to confidential information so there should be restrictions to accessing critical government infrastructure.Do contractors need that level of access, such as Snowden or recently Harold T. Martin III
The OCR issued a HIPAA Omnibus Rule that will enhance a patient’s privacy protections, provide individuals new rights to their health information and strengthen the government’s ability to enforce the law.
In healthcare, there is a concept called PHI- personal health information. In order to protect PHI and avoid the pitfalls of BYOD, providers must adhere to the HIPAA and HITECH guidelines for sending PHI.
Although BYOD provides staff with a flexible way of working as they can do so from anywhere at any time, the matter of who is responsible for payment when a device requires a repair or user support can be problematic. Privacy is important for the owner of the device, but equally, organizations need to maintain some level of control over the data stored on employee-owned devices, especially when it comes to HIPPA compliance.
President Obama was required to use a modified BlackBerry for security purposes. The National Security Agency was responsible for first setting up Obama’s BlackBerry when he was president-elect in 2008. The phone was stripped of most of its functionality to make way of extra layers of encryption. I think Hilary Clinton did a good job on protecting her own privacy by using her own devices. However, as a government worker, now she is under investigate. It is difficult to view her computer records in this way. So the balance between privacy and control is the hardest thing by using BYOD policy.
The issue with BYOD devices is that many people who bring these devices in do not have them readily updated. If these devices aren’t updated they can leave holes in your network creating a target for hackers to exploit. In order for people to bring their own devices in an organization a plan must be executed in order to make these devices safe before they connect to the network.
Hillary just lost the presidency and it’s a shock! There was a lot of issues around her email and how it was handed. Also, leak emails from her campaign that created a huge scandal, justify or not, might contribute to her lost.
I wonder why they are not encrypting all correspondences and also is there a way to make it automatic and easy/safe to use.
BYOD is an increasing trend toward employee-owned devices within a business. BYOD increases productivity and flexibility through allowing employees to work using their familiar devices outside of workplace, and also lowers company’s acquisition costs. However, it also brings security issues such as data breach. For healthcare organizations, BYOD presents big risks for HIPAA compliance. Allowing BYOD means PHI of patients will be shared on many devices. It’s the responsibility of health care providers to ensure their employees are sending and receiving this data using secured and encrypted systems. However, many hospitals allowing BYOD are grossly noncompliant with HIPAA. Most of them have no BYOD policy to guide their employees, no enforcement and audit trail on BYOD policy, no training for employees. This would lead to a risk of personal health information (PHI) breach. To mitigate the risk, healthcare organizations need to develop a thorough BYOD policy providing protection for PHI while still allowing employees the convenience of using their own devices. It should determine that when, where, in what situations and how an employee can access the system outside of the company using what devices. For example, access must be through a VPN and only registered devices can access the system. In addition, organizations must enforce the policy and provide training for employees to make them be aware of their liabilities using their own devices. For example, warnings may pop up when employees are using their own devices to sending emails attached PHI to remind them that the liability is on them if they are not compliant with the policy. An audit trail is also necessary for control and monitoring.
In the case of Hillary Clinton, she used her personal email server for State Department business. This exposed government’s classified data to risk of data breach. This is a good example that illustrated the vulnerabilities of BYOD. The purpose of Hillary using her personal server was probably hiding something. The FBI investigation concluded that Hillary was extremely careless in handling her email system. The Hillary Clinton email controversy gave lessons to organizations using BYOD that it’s important for them to keep control on employee’s personal devices.
References:
http://blogs.wsj.com/riskandcompliance/2013/09/26/hospitals-allowing-byod-face-complications-with-new-hipaa-rule/
Policies and Procedures need to be in place to address the concerns of BYOD in the medical industry, specifically doctors carrying around their own devices, and the possibility of a violation of HIPPA. For instances such as this, specific software and a BYOD policy must be in place for employees using their own device. For example, an IT team should coordinate with the employees and make sure any device being used has a firewall/anti-virus software, a password for the user account, possible two-factor authentication, such as a retina scanner or thumb print scanner, encryption software, and remote software so that if a device is lost, it can be wiped remotely. This will prevent data from being leaked and a potential HIPPA Violation. Policies need to be in place that employees will only use devices that have been approved my IT, and that any changes in device must be reported to IT. A violation in BYOD policy can lead to employees not being allowed to use their own device, or termination, depending on the severity of the violation.
BYOD can be helpful for both the IT Team and the employee. For one, the employee is using a device they are used to using everyday. This is helpful when becoming familiar with Apps, software, etc. Second, this reduces administrative/IT costs for a company. Maintenance/updates, Group Policy, etc. does not have to be put in place. IT can focus on other parts of the infrastructure.
From my perspective, the debate I had with BYOD devices is not the way they are used, it’s how its accessing the applications that has PHI information. I have been ok with using any device as long as the application is accessible using a applet that was provided by IT support for the application on the device. The only application i can see using is Citrix. I have been a fan of Citrix where the data can be used from an application that is being ran on a corporate device and access it through any device that has the receiver. When you are using a web application that PHI data can be sent and possible stored on the devices. Another example, I have used where when a device is requesting access to the network is to check and verify that AV is on the workstation or device. When it comes to using mail on a phone there are abilities to check for a password on the phone itself otherwise the configurations would not be installed to allow mail to be accessible from the phone. Policies and procedures have to be in place to inform the user and allow IT to install software on workstations that are now owned by the hospital.
Acceptance of a BYOD policy is definitely dependent on the business, deciding factors include:
What are the cost benefits?
What are the risks?
Who would be allowed to bring devices?
How will devices be monitored?
In organizations involving healthcare this can really present risks and a cost benefit analysis would have to be performed to see if it is worth it. Coming from a patients perspective I’m not comfortable with a doctor having my health records on his personal iPhone. Mobile devices may be convenient to transport patient information but it would be much easier to secure if these were done with devices issued by the hospital. If cost is an issue these devices should be limited to employees who will truly benefit from the mobility.
Business organizations are different, I can see the benefit in say a sales person being allowed access to clients information remotely particularly those who spend much time offsite i.e Salesperson, Consultant etc. Access to company information should be controlled via VPN with a multi factor authentication system with strong password.
Any time BYOD is allowed, any device used should follow the standard I.T. policy used in the company. This usually means governance of the device is granted to the company which should act as a buffer to many individuals so only those who truly need it choose to accept.