Effective iPad security policy enforcement for health care

Using native and third-party iPad management tools will help health care providers enforce the security, privacy and risk management policies needed to let doctors use the devices.

As iPad popularity grows among health care professionals, IT and network administrators must find more effective ways to manage associated security risk. Policies to ensure the safety of electronic medical records and communications are essential, but don’t stop there. Use iPad management tools to deliver reliable, scalable iPad security policy enforcement.

Learn more about creating an effective iPad security policy

For hospitals, Apple mobile device management means third-party add-ons

Preparing network infrastructure for hospital iPad use

Apple iOS security attacks a matter of when, not if, IT pros say

From the Health IT Exchange community: Addressing HIPAA in iPad security policy

Before tapping the iPad to enhance the quality and efficiency of medical service delivery, administrators must identify related threats and apply compensating controls to manage risk.

Fortunately, Apple Inc.'s iOS 5 -- the operating system that powers the iPad -- supports many mobile security best practices, including authenticated access control, full-device encryption and automated or remotely-initiated data wipe. For secure communication, iOS 5 supports Secure Socket Layer / Transport Layer Security (SSL/TLS),Virtual Private Network (VPN) and Wi-Fi Protected Access (WPA2).

However, iPads must still be provisioned for safe use. Settings must be changed to require a password and auto-wipe after repeated failures, and permission must be granted to remotely find or wipe a lost or stolen iPad. Exchange, Post Office Protocol (POP), or Internet Message Access Protocol (IMAP) credentials must be entered before email messages, contacts, and appointments can be synchronized. Private wireless local area network (WLAN) and VPN connections cannot be established until network settings have been configured.

Health care organizations cannot rely upon end users to configure these controls. Regulations require such organizations to ensure and document proper provisioning, promptly detect and remediate non-compliance, prevent unauthorized access to sensitive systems and report potential electronic medical record breaches. These iPad security policy needs can be met by leveraging the device's native management interfaces.

Build native configuration functions into iPad security policy

Administrators can provision any iPad by installing Configuration Profiles: XML files containing desired device settings. For example:

  • A Passcode Policy profile can require a passcode while setting minimum length/complexity and maximum age/retry rules.
  • An Exchange profile can configure an email account with a specified server name/address, email address, username, and password/certificate while preventing message forwarding or requiring Secure Multi-Purpose Internet Mail Extensions (S/MIME) signing and encryption.
  • A VPN profile can provision an iPad with a Layer Two Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), or IPsec tunnel endpoint, including shared secret or certificate and XAUTH username.
  • A Wi-Fi profile can configure a wireless LAN’s network name, encryption type, and pre-shared key or Extensible Authentication Protocol (EAP) credentials, including username, identity, and password or certificate (below).
  • A Restrictions profile can disable built-in iPad capabilities, including camera, screenshot, and user acceptance of untrusted web server certificates.

These and other iOS Configuration Profiles can be locked to prevent snooping and removal. For example, an encrypted password-protected VPN profile could be emailed to every employee given access a private network, but only users who knew the profile’s password could successfully install it. However, authorized workers could still install the same profile on unapproved devices (e.g., personal iPhones) or change VPN settings. Fortunately, device enrollment and on-going monitoring can prevent those pitfalls.

Enhance iPad security policy with mobile device management

In fact, Configuration Profiles can be installed in four ways: pushed from the iTunes Configuration Utility to a USB-connected iPad, emailed to an iPad user, downloaded onto an iPad from a website, or installed through a mobile device management (MDM) system. The latter requires an iPad user visit the organization's MDM enrollment portal.

During enrollment, the user is authenticated and the device itself can be checked against iPad security policy. Only authorized iPads can complete MDM enrollment, during which they are issued a device certificate and must grant permission for MDM to management and monitoring (below). Thereafter, the organization's MDM can install, replace, and remove Configuration Profiles and, perhaps, Application Profiles as well.

To exert this centralized IT control over iPads, a health care organization must either install its own iOS-capable MDM platform or purchase a managed or cloud MDM service. MDMs that can manage iPads are readily available from dozens of vendors. While each MDM is to some degree unique, all use the Apple Push Notification Service (APNS) and native iOS MDM APIs to communicate securely with enrolled iPads.

These APIs support iPad device enrollment, device provisioning (based on Configuration Profiles), device monitoring, application install/license/remove (based on Application profiles), and IT-initiated remote lock, passcode clear, and wipe actions. MDMs leverage these APIs to deliver near-real-time visibility and control over enrolled iPads, including security policy enforcement. In addition, some vendors offer an optional iPad MDM application that users can download from Apple's App Store and install to deliver deeper device insight -- most notably, jailbreak detection.

MDMs can help any organization report on security posture, detect iPad security policy violations, and take immediate action to prevent network intrusion or data breach.

How MDM can enforce iPad security policy

MDMs not only make device management more scalable; they can help any organization report on security posture, detect iPad security policy violations, and take immediate action to prevent network intrusion or data breach. Such management tools are especially important in regulated environments such as health care.

For example, MDM enrollment can stop a physician from manually provisioning her own personal iPad with an otherwise valid Configuration Profile. Instead, each physician can be invited to visit the hospital's MDM portal and enroll his or her own iPad, linking each authorized device to user credentials and associated security policies. At any time, IT administrators can now generate reports listing all authorized iPads, who owns them, when they were provisioned and the last time they were contacted.

Suppose that policy requires passcode authentication, full-device encryption, and secure WLAN access to reach the hospital's Exchange server. If a physician should misplace his or her iPad, IT can immediately lock the device and disable both WLAN and Exchange access by removing those Configuration Profiles (below). Should the iPad go missing indefinitely, IT can remotely wipe the entire device or simply remove MDM control -- a step which also removes all settings, applications, and data installed by the MDM. Here again, MDM reports document when lock or wipe actions were taken, thereby avoiding any risk to electronic medical records or the need to report a potential data breach.

Over time, unmanaged mobile devices have a bad habit of drifting into non-compliance. Users may install risky applications, visit malicious websites, or connect to unencrypted WLANs, thereby endangering sensitive data and credentials stored on the device or enabling network intrusion. However, an iPad continuously monitored by MDM can routinely report its security posture -- for example, helping IT spot any iPads running black-listed applications or connecting to open WLANs. Depending on the violation and configured security policy, MDM may notify the administrator or user, or quarantine or wipe the offending device.

Ultimately, MDM cannot deliver total control or support every possible security policy. For example, Apple APIs do not allow MDMs to remove blacklisted applications. However, these management tools can help health care organizations reap the benefits of iPads while effectively and reliably managing associated risks.

Lisa Phifer is president of network security consultancy Core Competence Inc. Let us know what you think about the story; email [email protected] or contact @SearchHealthIT on Twitter.

Dig Deeper on Mobile health systems and devices