Guest Column | November 4, 2015

Solving Healthcare's Unique BYOD Security Challenges

HITO Rich Campagna, Bitglass

By Rich Campagna, VP Products & Marketing, Bitglass

Stolen healthcare data is one of the hottest commodities on the black market, so cyber criminals in search of a huge medical data payday are increasingly targeting healthcare organizations. Major breaches at Anthem and Premera, where millions of customer records were stolen, have made headlines, but lost and stolen devices are a bigger cause for concern, accounting for a staggering 68 percent of all medical records breached.

Healthcare practitioners are as passionate about their mobile devices as anybody, and 90 percent of them use their personal smartphones for work. Most organizations use Mobile Device Management in order to keep data safe on BYO devices. Unfortunately, MDM challenges like policy development, employee privacy concerns, deployment complexity, and high costs have inhibited BYOD adoption despite much promise.

Bitglass Healthcare BYODAcross all industries, 57 percent of employees decline to participate in BYOD programs due to privacy concerns and technologies like Mobile Application Management have failed to attract even 10 percent of the market. In healthcare, there are several unique factors at work that make BYOD a bigger challenge than in other industries.

  • HIPAA Compliance & Personal Health Information (PHI) — MDM solutions work by configuring devices to meet policy, but they do nothing to provide visibility or control over the data being downloaded to a device. This means that if an employee wishes to download a spreadsheet containing millions of patient records, there’s nothing you can do about it. The ability to mitigate risk by controlling access to corporate data is paramount. You may want to allow access to PHI from personal devices, but only up to a certain number of records, for example.
  • Personal Privacy — People participating in BYOD programs simply don’t want IT “big brother” snooping on their personal data, applications, and location. MDM has gotten a bad rap in organizations, with many refusing to participate due to privacy concerns. What that typically means is that healthcare organizations make exceptions for those folks, allowing them to access data without MDM in place.
  • Multiple Affiliations — For many providers, 30-40 percent of the people that need access to PHI and other sensitive data are affiliates, not employees. The challenge? There can be only one MDM profile per device. If Hospital A is already managing a surgeon’s personal device, Hospital B only has two choices: refuse access from that device, or make an exception and allow unprotected access to that data. In most cases, the exception wins, creating a security & compliance nightmare for IT.
  • Deployment Complexity — MDM deployment has proved challenging for both IT departments and users. Any challenge that a user runs into means the potential for a costly helpdesk call and lost productivity. With users constantly upgrading to new devices and new software versions, the fact that MDM solutions have device and operating system dependencies is a real Achilles heel.
  • Ease-of-use — Today’s practitioners are as busy as ever, and minutes can be the difference between life and death. Consumer mobile technologies are high quality and high-performance. Doctors, nurses, and other clinical staff expect IT to offer solutions that are comparable. Security solutions that slow clinicians down introduce risk, lower productivity and encourage employees to adopt workarounds that defeat security policies. For example, employees prefer familiar native email applications on their mobile devices for personal and work use. An MDM solution might force an unfamiliar third-party email client for work use, hampering the user.

So is there a secure, compliant future for BYOD programs? The next generation of mobile security solutions is agentless and data centric - simultaneously solving both IT and employee concerns with MDM and MAM. Such solutions work from the network, providing visibility and control over data flowing to the device, and achieving device-side data protection without the hassles of MDM agents and configurations. According to recent Bitglass survey data, 67 percent of employees would participate in a BYOD program if employers had the ability to protect corporate data, but couldn’t view, alter or delete personal data and applications. 64 percent of IT pros believe such a solution would make their BYOD program more successful.

In order to meet the needs of both IT security and employee needs, ensuring secure, widespread adoption of BYOD in the enterprise, it’s time to for a data-centric approach to mobile security.

About The Author
Rich Campagna drives product management and marketing at Bitglass. Prior to becoming an integral team member at Bitglass in April 2013, he was senior director of product management at F5 Networks, responsible for access security. Rich gained valuable experience in product management and sales engineering at Juniper Networks and at Sprint before working at F5.