rx for mthreats in today’s healthcare institutions

Daniel W. Berger, President and CEO, Redspin, Inc.P: 805.576.7158 E: dberger@redspin.com

Rx for mThreats

in Today’s Healthcare  Institutions

Healthcare Experience

• Conducted HIPAA Security Risk Analysis at ~100 hospitals in past 18 months

• Soon-to-be published paper: “Is PHI Data Security Really Possible in a Mobile World?”

Meaningful Healthcare IT Security ®

Technical Expertise

• Penetration Testing• Web Application Security• HIPAA Risk Analysis• Mobile/Wireless Security• Security Awareness

Training

The Mobility Explosion

• As of Q1 2012, 50.4% of all U.S. wireless subscribers had a smartphone (Nielsen)

• Nearly 1/3 of mobile workers use more than 1 mobile device • # of public Wi-Fi hotspots doubled in 2011• U.S. tablet users will double this year to ~70 million, about 29%

of all internet users (eMarketer)

Devices and Connectivity

The Mobility Explosion

• Email access via mobile rose 36% in past year (Comscore)

• >500,000 apps in Apple Store, >200,000 in Android Marketplace

• Lots of cloud services

• Word documents, spreadsheets, PowerPoints, embedded cameras, JPG, video, etc.

• “Smartphones and Tablets (lightweight O/S) will surpass desktop as primary user interface in enterprise computing by 2015” (Gartner)

• “80% of doctors use mobile devices, primarily smartphones and tablets (Float Mobile)

Applications and Trends

Social Connectivity: Anyone, Anywhere, Anytime

Source: Frost & Sullivan

Evolutionary Change?

“What were once vices are now habits.”- The Doobie Brothers

BYOD: HYPE OR REVOLUTION?Are your employees armed and dangerous?(They seem like such nice, well-meaning people)

Lots of Vendor Propaganda

Publication VendorThe Ten Commandments of BYOD Fiberlink

10 Mobile Security Requirements for the BYOD Enterprise

Accellion

BYOD in Healthcare Organizations: Top 6 Risks & How to Avoid Them

IBM

Addressing BYOD Security and Compliance through Mobile Risk Management

Fixmo

How to Enable Secure Access for BYOD at Work Dell SonicWall

Rogue Mobile Apps: Trends, Threat Review and Remedies for BYOD Challenge

RiskIQ

Strong Authentication: Transforming BYOD challenge to BYOD opportunity

VASCO Data Security

BYOD Became an Olympic Sport

The Risks Are Real

37% of U.S. information workers are using BYOD at work before policies are in place

– Forrester Research, 1/11

46% increase in development of mobile device malicious software

– McAfee, 2/11

80% of CIO’s believe BYOD use increases a company’s vulnerability to attack

– Ovum 11/10

The Threats Are Increasing

Source: IBM X-Force Research and Development

Mobile Operating System Exploits2006-2011

The Curious Case of PHI

• It’s meant to be portable• Lots of needs for legitimate access• Priority is availability, integrity, confidentiality (not CIA)• Once breached, nearly impossible to cure• Breaches can have serious medical consequences, even

life or death • A 9% rise in use of smartphones by doctors resulted in a

32% rise in data breach (Manhattan Research, 12/11)

The Curious Case of PHI

Security Crossroads

Secure Every Device?

"I told our CEO he should fire me if this doesn't work”Dale Potter, CIO Ottawa Hospital

Risk Your Career?

Does Your Policy Allow Employees to Use Personal Mobile Devices for Work?

“… some CIOs need to put the brakes on BYOD initiatives until they can get policies and education in place.”

“State of Mobile Security,” InformationWeek, May 2012

Put the Brakes On?

The Facts of (Mobile) Life

• Consumer devices are already at work. (Oh yes they are)

• Employees want to be able to use them for both personal use and work. (So ultimately they will)

• The risk is already here. (Like, yesterday)

“We have met the enemy and he is us.” - Pogo

BYOD Security Risk Analysis

Typical Network Security Policies

Securing the Data

• User authentication• Encryption• VPN Clients• Secure Email/Text messaging• Antivirus and Malware• Sandboxing• Lost or stolen phone/table (remote wipe)• Mobile Device Management System

- Config control (including security features)- Patch management- Control network use based on user privileges- Integrate into help desk

The New Paradigm

User Centric

Device Centric

Collaborative

Authoritative

Devices Aren’t Mobile, Humans Are

Securing the People

• Who’s responsible? Legal? HR? IT? Security?

• Lack of precedence

• Involve users in creating policy

• All users need education on how to utilize a device on the network as part of a BYOD strategy

• Intel found 100% employees would accept behaviour modification and training in return for freedom to use devices

• IT employees also need training on how to deal with specific scenarios

Policy

Training

Final Thoughts

• Resistance is Futile

• Compromise is Inevitable

• Managing Security = Reducing Risk

• People are the New Endpoints

Employee BYOD Use Survey (Free)

http://mobile.redspin.com