In this unit, we discussed the growing trend of BYOD (Bring your own device) and some of the challenges associated with this. There has been some talk in the news in the past concerning users, their own devices, and security concerns. For example, in health care, many doctors prefer to use a tablet for electronic medical records, and many are using their own devices to connect to web based services. What concerns could there be with HIPAA, and how could they be mitigated?
Another example is government workers. President Obama is the first US President to carry a Blackberry (why not an iPhone?), and former Secretary of State Hillary Clinton chose to use her own device and email, thus none of her communications in her official capacity are available for public review. What are some concerns with these trends, and how have they / could they be mitigated?
Fred Zajac says
Bring Your Own Devices was supposed to be the answer to your company having access to you at all times. It was a way for you to work remotely without the company having to buy you equipment. The employee bought it themselves. Perfect! Well, this convenient and cost effective strategy could lead to disaster for the owner and organization.
What an organization has to think about is information shared and access available to BYOD devices. BYOD can be used for certain tasks, but only approved devices should be used to access sensitive information. A healthcare organization should not allow personal devices to connect to medical records. The hospital can purchase “community” tablets that doctors can use while in that specific area. They are not to be taken out of the assigned wing. The upfront cost will be higher, but will be cheaper than a breach from a BYOD.
Blackberry phones are run on a separate BlackBerry Enterprise Server. The BES was / is the most secure smartphone and service available because it uses proprietary technology to fully encrypt voice and data. The story included is over 3 years old, and blackberry has now made their security services available on iOS and Android phones. The security is why Washington using BlackBerry devices.
As for Hillary Clinton, she chose to user her own device and email because of convenience over the BlackBerry device. The blackberry device for government protections will only allow one email address at a time. Therefore, a government user would have to send separate emails to each member. Imagine if you had to sent the same email to 200 people, and had to do it one at a time. She decided to use a personal email server because it was faster, but against policy.
Why she will never get in trouble? Because this has been the standard since the “CrackBerry” came out under Secretary Colin Powell, and believe it is still the practice of other government officials. Easier over secure.
Jason A Lindsley says
Great post Fred. I was not aware of a few things you mentioned, including that a government user cannot send an e-mail to multiple e-mail addresses on a Blackberry. In fact, I’m not really sure I understand how that makes it more secure! If you send the same e-mail to 200 people individually, how is that more secure than sending one e-mail to 200 addresses at once? Sounds like obscurity but not security!
I agree with your comments that Blackberry and BES was the most secure option several years ago, but Mobile Device Management (MDM) solutions and container apps (e.g. Airwatch, Microsoft Intune, Good) have helped to improve security on iOS and Android devices. They provide the ability to enforce policy on user’s devices (e.g. password controls) and the ability to remotely wipe a users device.
I left my old company about 6 years ago and we were able to connect to the Microsoft exchange server simply using our network credentials and the native iOS apps. When I arrived at my current company this was prevented because of the security concerns. We were all required to use Blackberry device.
Regarding HIPAA, I agree with your comment that use of mobile devices for patient information should be limited to hospital issued devices that do not leave the hospital. There is too much risk to allow hospital employees to have access to confidential patient data on third party devices.
Younes Khantouri says
Fred,
Bring Your Own Devise (BYOD) can be a very conflict issue with security. In so many cases, people don’t really realize that using their personal devises for work can lead to many security issues. Most of companies force their employees to be connected to IT resources using devises work since most of them use VPN as a secured way.
Fraser G says
BYOD is a nightmare for some and a big opportunity for others. I used to work at a startup that focused on getting data from legacy systems to mobile devices – we did things like APIaaS (API as a srvc), MBaaS (Mobile backend as a srvc) and really pushed the message that “this is happening, you can either embrace it or get run over by it.” Our pitch line included things like “every Jan your executive comes in with a new screen and they want to be able to use it.” I know the pain points for people who want to be able to use their phones to do work more efficiently, I also know the pain that the IT security guys face who have been told by peers and the industry to lock down their data on premise for the past several decades. This process of “mobile enablement” will take time, its happening, slower than I would have hoped, but the business needs win out over security concerns.
One of our pilot projects was focused on getting nurses to review medical charts while at home… The nurses would get patient data on an app on their tablet, review it and sign off on it, they could make some extra money while not on a shift. Our biggest hurdle for this project was HIPAA. We found HIPAA regulations to be so nebulous and complex that it wasn’t worth our effort.
I am all for patient privacy and rigorous standards, however HIPAA doesn’t provide much of a benchmark (in my experience) to work with, they don’t have a standard set. Doctors and IT specialists will continue to walk a fine line between compliance and violation until we get more direction from the feds.
President Obama’s team no doubt chose a Blackberry because of it’s security features. I believe that the first versions of the iPhone didn’t have the encryption protocols that Blackberry did – Apple was focused on the consumer at that point, RIM was focused on business/gov.
Secretary of State Clinton decided to use her own device and email because she didn’t want her communications made public. According to Clinton, former Sec. State Colin Powell had set a standard of using private email – this apparently was a valid enough reason to dispense with regulations. The big difference between the two is that Clinton used a server she hosted at home, while Powell didn’t host his own server and in fact declassified all of his personal emails. Many of Clinton’s emails remain classified or “Deleted” to this day.
This sets a terrible standard for public office. Clinton is not the only one who engages in this kind of activity, however the importance of her role 1) set a defacto standard and signals to others that it is okay and 2)Keeps her official state activity from being scrutinized. Sunlight is the best disinfectant!
I am loathe to suggest more legislation and creation of more government bureaucracy however I think that the legislative branch, along with the courts should enact a stronger policy on record keeping (particularly in the executive branch) and have a repository of digital communications.
Fred Zajac says
Fraser,
Here is some information that may help you for, “Hippa… doesn’t have a standard”.
This link will show you NIST guidelines for the hardware:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf
This link will show you HIPAA regulations for Mobile Applications.
https://csrc.nist.gov/Presentations/2013/HIPAA-2013-HIPAA-Requirements-and-Mobile-Apps
They are recommended policy, but this is what HIPAA regulators will look for if the organization was to be breached, or during a random audit check. The results could lead to fines, penalties and/or other punishments.
Younes Khantouri says
Fraser,
In so many cases, people use their own personal computers and devises to access to websites, which make those devises under the risk to become infected with viruses and warms. In other hand, personal devises have a very weak security which can make them full of all kind of viruses. Personal information which can be basically sensitive information can be under the risk especially if the employer wants to have access to the devise.
Ahmed A. Alkaysi says
Every organization needs to have its own policy and standards for BYOD. HIPAA is a policy that states personal and medical information is required to be protected, but it doesn’t tell you anything about BYOD. People love to bring their own devices to work. They feel more comfortable being able to use their own devices as well as have the flexibility to work from anywhere. However, BYOD does provide risks to the organization, as confidential data can be saved on the personal device, or a virus can residing on someones device can makes its way on the company network.
The easiest way to mitigate the above, is by restricting BYOD access. This way, the organization wouldn’t even have to worry about it. If the organization does not restrict, it must have a policy in place with clear standards and controls which explains what is allowed and what is not. Maybe they need to register the device to company networks before the employee can use it, or they need to remove specific apps from the company before they grant access. All this needs to be detailed in company policy. If there is no policy, then who decides what is allowed or restricted?
Oby Okereke says
BYOD is not necessarily nightmarish with regard to HIPPA policy compliance of protecting patients data. With the use of encryption and sandboxing, I believe covered entities and healthcare providers should be able to enjoy the same level of risk protection if the same data procedures are applied on mobile devices.
Neil Y. Rushi says
Bring Your Own Device in healthcare is a risky concept because doctors, nurses and other personnel are working with sensitive information of patients which if breached, violates the HIPPA law. If someone does bring their own device and uses the wireless network of the hospital, IT should network monitor it so that they can audit the log files if something does happen. Blackberry phones were built for security in mind, so reason why Obama used it was because for that reason – government officials communicate daily and in doing so, conversations can be about matters of national security. It allows IT to monitor and work with Blackberry’s servers to track any oddities. With Hilary using her own email, it made tracking the emails impossible since it was her own and not issued by the government so therefore she was in charge of it. Any time a company decides to implement BYOD, IT should have proper policies in place to monitor the devices and log the activities when it access an organization’s servers. I know at Verizon if we hook up a personal device to the computers or network, IT security team can see everything on the phone since it’s their network and don’t want to receive any harmful breaches.
Oby Okereke says
Neil, Inasmuch as I agree with you. I speak from a place of working with mobile devices. Containerization can really handle and mitigate some of the risks that you have mentioned. With a Mobile Device Management tool, it has become rather easy to issue a remote wipe once a device is reported as stolen or lost. it. This ensures that any sensitive data on a personal mobile device is secured via remote wipe procedures.
Brent Hladik says
What concerns could there be with HIPAA, and how could they be mitigated?
Basically the main concerns on this with BYOD devices is that doctors will be putting down sensitive
patient information on their tablet and phones then walk out of the hospital with them potentially leaving
patients data exposed to outsiders that might stumble upon them. One way to prevent this is to put tracking software on these devices and to make it mandatory that they don’t leave their office with these.
In terms of government workers doing this in high public facing roles I think it was a big mistake for Obama t lead the way in terms of BYOD devices in office. As that is what led to the Clinton email scandal. Had he not done that Clintons outcome may have been dramatically different and she may have been the President.
The best ways to prevent issues with these are to ensure that people put these devices in lock boxes when going to secure location. Also to make sure they get wiped when people leave their office or need to change equipment. Otherwise people are not going to be able to control these devices.
Donald Hoxhaj says
BYOD is definitely a positive move for some companies and negative for others. For companies that try to have employees bring their own device, saves cost on having own equipment and systems, reduces the cost of maintenance, and allow the employees to be flexible in their work either from home or any other location. However, BYOD systems must be carefully monitored, authorized, and tracked for any important information to be leaked. Example as given above, medical records are highly sensitive information and therefore it is imperative to store the records of patients in a safe place from the reach of unauthorized users. HIPAA calls for protection of patient health records in order to achieve quality in healthcare services. However, there are many concerns such as Medical records mishandling because of open tablets or personal laptops within the office, Accessing patient records from home as this might lead to network attacks from home network, and most importantly theft of these devices.
All these factors are basically HIPAA violation and can lead to huge loss of patient information. The ways to mitigate such risks should be carefully handled. Organizations and hospitals can restrict BYOD access to only a few employees or doctors so that information is not leaked. Necessary safeguards should be in place either by restricting access to devices using passwords and data encryption techniques. Doctors and Employees need to be trained in how to keep their passwords in a safe place and not to keep mobile devices out of sight. All these measures can possibly prevent such leaks.
The concerns about government employees can be solved if there are appropriate network checks. No device used by a government employee should be outside the government network and therefore checks and procedures have to be in place to have these employees only private access to certain social media and other sensitive places.
Shi Yu Dong says
BYOD is unquestionably a positive move for a few organizations and negative for others. For organizations that endeavor to have representatives bring their own particular gadget, spares cost on having own gear and frameworks, decreases the cost of upkeep, and enable the workers to be adaptable in their work either from home or some other area. Be that as it may, BYOD frameworks must be precisely checked, approved, and followed for any vital data to be spilled. Case as given above, therapeutic records are exceedingly touchy data and along these lines it is basic to store the records of patients in a protected place from the scope of unapproved clients. HIPAA calls for insurance of patient wellbeing records keeping in mind the end goal to accomplish quality in social insurance administrations. Be that as it may, there are many concerns, for example, Medical records misusing due to open tablets or individual portable workstations inside the workplace, Accessing persistent records from home as this may prompt system assaults from home system, and above all robbery of these gadgets.
The worries about government representatives can be illuminated if there are suitable system checks. No gadget utilized by an administration worker ought to be outside the administration organize and in this way checks and strategies must be set up to have these representatives just private access to certain online networking and other delicate spots.
Younes Khantouri says
Bring Your Own Devise (BYOD)
Bring Your Own Devise (BYOD) can be a very conflict issue with security. In so many cases, people don’t really realize that using their personal devises for work can lead to many security issues. Most of companies force their employees to be connected to IT resources using devises work since most of them use VPN as a secured way.
In so many cases, people use their own personal computers and devises to access to websites, which make those devises under the risk to become infected with viruses and warms. In other hand, personal devises have a very weak security which can make them full of all kind of viruses. Personal information which can be basically sensitive information can be under the risk especially if the employer wants to have access to the devise.
In Obama case, I feel that the ex president of United States of America was very confident to use his own Blackberry for work because he believes that he had nothing to hide. In other hand, I am sure that he didn’t know that anybody who had access to Blackberry server that manages users data can have access to all the ex president activities. I believe that can reflect the safety of the country and the ex president as well.
I believe that Clinton decided to use her own device and email because she didn’t want people who work for the US government know her activities. As a conclusion, the people use their own devises because they believe they are doing the right things. I believe that people shouldn’t use their own devises for work because they can put themselves and their companies IT resources under risk to be attacked.
Matt Roberts says
With regards to the health industry, BYOD could cause concerns with HIPAA because personal devices may not be secured at the same level as the organization’s infrastructure. Obviously, this would put the organization at a greater risk for having patient data processed by that device being breached. That would also raise the question of whether they took appropriate measures to protect the data on the unsecured device, even though they have secured their internal network. One way to address this could be mandating that any BYOD device would have to be configured and hardened to defined specifications before being used on the network.
When considering government workers, there is an idea that I’ve heard of being used in the private sector in which policy states that if an employee chooses to use their own device for work purposes, that device is then subject to company policy and is available for review if deemed necessary. In essence, this would treat personal devices as company devices and negate any expectation of privacy pertaining to the BYOD device.
Ryan P Boyce says
First and foremost, the largest area of concern with government employees using their own devices and IT platforms run their infrastructure and services is that they lie outside the watchful eye of the people they serve. In the example of Hillary Clinton, she had her own ways of handling the retention of her emails. Whether she did or did not erase sensitive emails, she was still using a platform that was under her control and this particular platform contained sensitive data about American people and American international affairs. In the case of doctors or medical personal bringing their own devices to work, there is a huge concern for breaking HIPPA laws. Some doctors, working in the best interest of time, might choose to have a browser “remember their password” for a site. It has been shown that malware can obtain these saved passwords. Let’s say a hospitals’ network was compromised and malware found its way on to a doctors tablet that was not updated. In the event that doctor’s password was retrieved by the hackers, massive amounts of PII would be available to the attacksers.
Sachin Shah says
Bring your own device is challenging in a work place. One of the hard things is if you have wi-fi and how secure is it. Is there a standard account for employees and a guest account\password. I know companies block apps to be used on their wi-fi. I know my company bans the use of many dating or personnel sites on their wi-fi. There are device management tools as stated earlier that can wipe a device upon it being lost. I feel that in healthcare, a clinician can NOT use personnel device and must use a work issued device. If I use my work wi-fi with my personnel device, my activities can be traced but I dont access patient data. Clinicians like to use their own device, yet IT needs to encrypted and and not accessing patient data. there are always security threats of viruses on personel devices getting on the network.