The lingo of mobile health security is enough to make any healthcare leader’s head spin. But with this quick primer on a few of the basics, you’ll soon be exchanging IT jargon with the best of them.
If you’re a healthcare leader who’s ultimately responsible for what happens within your IT department, but not an IT expert yourself, welcome to the crowd. With the growth of digital health technologies, leaders everywhere are being called upon to expand their IT knowledge capabilities in order to intelligently participate in critical IT risk-management discussions and understand appropriate applications of security solutions to meet the organization’s needs. But if you’ve ever participated in a meeting with a group of IT experts, the inherent lingo can leave you reeling and overwhelmed. Here, we’ll provide a few basics about mobile health security language and why it’s important - to help you navigate the IT security landscape of your own organization and make it a cyber-safer place.
Bring Your Own Device (BYOD) is probably something you’re already familiar with, and may be practicing yourself. Millions of employees around the world use mobile, and most combine business and personal use on the same device – a trend that’s quickly growing in MENA. A recent Ericsson report revealed that there are now 354 million mobile subscriptions in the region, and Netbiscuits research says 37% of UAE consumers use the mobile web more than six hours per day. Though lack of formal BYOD policies may lure company leaders into an alternate reality, numbers these high likely reflect a proliferation of employees who are casually downloading company files and family pictures onto the same device.
Many security experts are waving the red flag about BYOD use - citing associated security risks - but companies often don’t heed the warnings. According to a recent Kaspersky study, “Global Corporate IT Security Risks: 2013”, a majority of GCC companies consider BYOD a growing security threat, but few plan to put restrictions in place regarding personal mobile device use in the workplace. In the GCC, 65 percent of companies voiced concerns about BYOD security, but only 8 percent planned to impose more stringent restrictions on use. However, in the UAE, where 67 percent of companies stressed their BYOD security concerns, there’s a stronger approach to restrictions with 30 percent planning to prohibit the number and types of devices used.
If you’re a healthcare leader, you can bet that BYOD is an issue in your organization, and something you should pay attention to.
Mobile Device Management (MDM)
Mobile device management means exactly that – the device itself is controlled by the company, even if the employee owns it. As discussed by Andrea Bradshaw and Sadik Al-Abdulla in their HIMSS14 presentation, “Securing Patient Data in a Mobilized World”, this device-centric approach incorporates the following strategies:
- Supporting device management
- Enabling device tracking
- Optimizing remote wipe capabilities
- Creating and enforcing a BYOD policy
- Procuring appropriate devices
- Implementing device management
- Activating devices appropriately
However, Bradshaw and Al-Abdulla note that MDM has certain limitations, since focusing solely on the device itself eliminates the ability to know how much or what type of sensitive data is on it – which may be compromised in case of a breach or loss.
From a distance, MDM may seem like a great solution for organizations who think the answer is simply to obtain control of personally owned devices. But such companies are finding huge resistance by employees who are concerned about their own privacy issues - and don’t want their family pictures tossed with everything else that will be wiped if they report a loss. According to a Forrester survey, this, as well as issues of unsupported device types and unsupported operating systems, were some of the greatest employee concerns with a device management approach. Such limitations are exactly the reason why many experts recommend combining MDM efforts with our next area of mobile-security lingo, MAM.
Mobile Application Management (MAM)
The foundation of Mobile Application Management focuses on taking charge of the apps needed to meet key business requirements with associated secure functionality – usually within a customer relationship management (CRM) app. Using MAM, organizations can mandate encryption, operate according to policies that are based on employee roles, and control the removal of app data when a device loss occurs or an employee leaves the company.
MAM is enjoying increasing popularity, because it controls how sensitive data is accessed, while leaving employees in charge of their own devices. Proponents feel that in today’s world of expanding mobile device ownership and proliferation of applications available, it’s the only way to go. John Herrema, Senior VP of corporate strategy for Good Technology says,
“We’ve always believed that ultimately security and compliance boils down to being able to control the data. Trying to control the device, in a lot of cases, is neither necessary nor sufficient. A lot of the typical device management methods don’t work anymore in a BYOD world. You can’t tell a BYOD user who owns an iPhone 4S that they can’t use Siri or iCloud, or that they can’t use the App Store. At the end of the day, if you have control of your data and make sure that your data isn’t leaking off into personal applications and services, you don’t have to touch the rest of the device.”
As a healthcare leader, you have a mountain of responsibility – including the mobile health security of your organization. But with a team of your own IT experts to guide you, and the ability to understand some of their lingo, you’ll better ensure that the sensitive information flowing in and out of your organization is equipped with appropriate safeguards to keep it secure.