This article can also be found in the Premium Editorial Download "Pulse: Penn Medicine’s approach to managing BYOD and security."
Download it now to read this article plus other related content.
Balancing the appropriate security and privacy requirements with the delivery of clinical care and research is a fundamental need to consider in introducing certain types of emerging technologies into an academic medical center.
At Penn Medicine, the emerging trend of bring your own device (BYOD) was not so much about the "if" as it was about the "when." With almost 20,000 employees, the organization knew it would not be able to provision enough Penn Medicine-funded cell phones for all essential staff. Additionally, many of the key personnel, particularly clinicians, began carrying their own devices and using them as necessary for several kinds of work functions in addition to their personal use. Examples of this use included accessing Penn Medicine email and using several of the organization's core clinical applications. When information services started to get requests to connect these devices to the clinical systems and email messaging systems, it was clear that Penn Medicine had to find effective ways to secure them properly.
The main tenets associated with Penn Medicine for security and privacy include IT controls, compliance, identity management and user education. For clinical care and research, the focus is on exceptional quality, patient safety, innovative treatment, timely access, seamless care transition, translational medicine and personalized care. Enabling these capabilities in a secure environment is challenging when it comes to introducing hundreds -- if not thousands -- of personally owned devices from the employee base.
BYOD management and security
This article focuses on the best practices used at Penn Medicine to implement and manage mobile devices, specifically BYOD devices. Penn Medicine took a three-pronged approach to enable mobile productivity while managing potential mobile vulnerabilities.
The first part of the strategy focused on developing a method to support a full range of mobile devices. While the organization knew that enterprise standardization is key to managing technology costs, being flexible and agile in the BYOD space was going to be essential -- particularly as the device landscape changed and the employees sought out the most current devices available in the market. Whenever the opportunity presents itself, employees are encouraged to choose specific types of iOS devices simply because a broader set of clinical applications is available at Penn Medicine with this operating system. As time goes on and the technology evolves, information services may ultimately recommend additional kinds of mobile devices.
More resources from the experts at Penn Medicine
Building infrastructure resilience for disaster preparedness
The second part of the best practice strategy involved developing policies to govern the appropriate corporate use of the mobile devices. The policies and compliance requirements are consistently the same for both BYOD devices and devices provisioned by Penn Medicine, as the organization wanted to ensure there is no confusion regarding proper security when it comes to any device that has access to Penn Medicine's messaging systems, clinical systems and the associated business-related or patient data.
The implementation of these policies allowed Penn Medicine to take the opportunity to conduct user awareness and user education sessions. While users have demonstrated the need for clarity to understand the organization's requirements and ability to "manage" the BYOD devices, once the employee understood the intent and the rationale, compliance was not an issue. Some of the common misconceptions and concerns expressed regarding policy included: tracking where the employee was by using the device GPS services and accessing the private pictures and documents on the device. In some rare cases, Penn Medicine employees opted out from using their BYOD devices for access to the Penn Medicine systems.
The other complement to the BYOD management strategy addressed configuration standards designed to secure the device and protect Penn Medicine information. It was decided that it was crucial to implement a mobile device management (MDM) system that secured both Penn Medicine devices and BYOD devices in the same exact manner.
Several key requirements were formed, which were insisted upon when it came to selecting an external MDM system vendor. The system needed to be centrally managed in order to control the entire mobile device environment from a single console. Penn Medicine wanted visibility into the entire environment to ensure protection against security vulnerabilities.
The MDM solution needed to be able to enforce a strict password policy and device encryption. It was critical to have a tool that remotely managed these control features rather than allowing users to turn them off at any time. Additionally, the MDM had to be capable of leveraging location services and enabling a remote wipe to clean the device if it was either stolen or lost. The organization's security best practices have demonstrated this would be a key feature relative to supporting thousands of mobile devices (both provisioned and BYOD) in Penn Medicine's environment. Penn Medicine also looked for an MDM system that allowed information services to manage the applications on the device and prevent unauthorized and unlicensed software.
Some requirements that were implemented from a user perspective included routine scanning, which ensures that the devices do not have any new software that could make the device vulnerable to data security threats. Penn Medicine also used the features of the MDM tool to disable file sharing, which prevents mobile device users from inadvertently sharing files that could potentially contain protected health information (PHI).
Lastly, Penn Medicine required the MDM have an agent that was non-invasive and did not impact performance or battery life on the mobile device. Penn Medicine required that a user's mobile device that has access to messaging systems or clinical applications must have the MDM agent installed and running on the device. Exception reports are monitored on a daily basis to ensure the devices are secure and the MDM agent is working properly.
Device management targets HIPAA omnibus
While information services designed this MDM initiative as part of an overarching multi-year security and privacy program, it is believed that it has positioned Penn Medicine to address the requirements of the new HIPAA omnibus privacy and security rule. One of the major concerns among CIOs in health care these days is protecting data at rest, and more specifically, a potential breach associated with the loss or theft of a mobile device that contains PHI. As important as it is for the organization to provide new technology and its emerging capabilities at Penn Medicine, it is crucial to offer it in a measured approach to minimize the potential for a breach. Information services has conducted a security risk assessment, completed by a broad-based IS team lead by our chief information security officer. The findings are also reviewed with the organization's chief compliance officer and other key execs on a regular basis.
Penn Medicine wanted visibility into the entire environment to ensure protection against security vulnerabilities.
Information services has remained dedicated to the successful rollout of the tool and has a full-time person that is monitoring the use of the MDM tool and the associated compliance. All net new devices at Penn Medicine are provisioned with the MDM agent already installed. Additionally, information services enforces the use of the MDM agent with all new requests for BYOD devices that need access to the messaging systems or the Penn Medicine clinical systems. The organization has worked diligently on providing communication and user education through emails and published website support material. The intranet site includes frequently asked questions and provides details about installation and usage guidelines. The compliance numbers have remained high and information services has been able to count on executive level support of this initiative.
Protecting patient data at rest on mobile devices is both a challenge and an opportunity to safely provide users with new ways to access information. When you consider that it must be done for both provisioned devices as well as BYOD devices, the complexity increases as the technical capabilities and environment expand.
Health care organizations must follow security best practices and implement the right tools to meet the demands of HIPAA compliance. Penn Medicine information services believes there are three things that must be done now when it comes to being compliant in time for BYOD devices with PHI data:
The first is conducting a formal security risk assessment. This risk assessment should include risks, existing controls and end state desired controls. Assigning risk scores and dashboard colors that illuminate significant risks is a helpful approach to complement the assessment and show progress of goals over time, as well as focus on the priorities and effectively communicate progress.
The second component is having a solid security program in place that addresses access, monitoring and management. At the access layer, address user permissions, role templates, data encryption and physical controls. At the monitoring layer, address scanning, logs, filters and access. Finally, at the management layer, address device inventory, standards enforcement, individual behavior (policies) and risk management. These three layers are tightly integrated to provide a framework for individual initiatives like MDM for BYOD devices.
The last component is having an MDM tool in place to lock down the BYOD devices that will have access to PHI data. There are a number of good products in the marketplace. You must first decide whether you want to host the solution yourself or select a service model for the software. In either case, you want to look for a tool that is scalable and will meet your basic requirements, such as wiping the BYOD device clean if it is lost or stolen with PHI data on it. The combination of the security risk assessment, a formal security program and a reliable MDM tool is a smart and efficient way to securely manage the risks associated with BYOD devices in health care.
About the author:
John Donohue is the associate chief information officer at the University of Pennsylvania Health System (UPHS). Let us know what you think about the story; email email@example.com or contact @SearchHealthIT on Twitter.
This was first published in March 2013