Your Roadmap to Healthcare

Security and BYOD

Healthcare Security Checklist

Protect PHI

Mitigate BYOD risks

Apply dual factor authentication

Encrypt PHI data

Develop repeatable processes for compliance

Implement procedures and technologies

Healthcare Security Risks

96% of healthcare providers

had one or more data

breaches in the past 2 years1

1 Dell Secureworks

2 2014 Healthcare Breach Report.

Data Loss

68% of healthcare breaches are due to lost or

stolen mobile devices or files2

Impact of BYOD

BYOD: A Reality for Healthcare Providers

Healthcare IT is already rolling out mobile apps

to improve productivity and patient care

– 2 out of 5 doctors already use mobile devices

during consultations1

Yet mobility also presents a threat…

– 3.1M smartphones were stolen

in the U.S. in 20131

Source: Dell SecureWorks

Top Mobile Risks for Healthcare

Lost mobile devices

Stolen mobile devices

Downloading of viruses and malware

Unintentional disclosure to unauthorized users

Unsecure Wi-fi networks

Source: HealthIT.gov, Mobile Devices: Know the Risks

5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services

Access ControlAudit

Control

TransmissionSecurity

IntegrityPerson or

Entity Authentication

1. Access Control: Limit users rights to business need-to-know – Unique User Identification

– Emergency Access Procedure

– Automatic Logoff

– Encryption and Decryption

Access ControlAudit

Control

2. Audit Control: Implement hardware,

software, or procedural mechanisms that

record and examine access to ePHI

5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services

TransmissionSecurity

IntegrityPerson or

Entity Authentication

5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services

Access ControlAudit

Control

TransmissionSecurity

IntegrityPerson or

Entity Authentication

3. Integrity: Implement policies and

procedures to protect ePHI from

improper alteration or destruction

5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services

Access ControlAudit

Control

TransmissionSecurity

IntegrityPerson or

Entity Authentication

4. Person or Entity Authentication: Verify that

users seeking access to ePHI are who they

say they are

– Biometric, smartcard, pin/passcode, token

5 Pillars of Healthcare SecurityTechnical safeguards defined by the U.S. Department of Health & Human Services

Access ControlAudit

Control

TransmissionSecurity

IntegrityPerson or

Entity Authentication

5. Transmission Security: Prevent unauthorized access to ePHI that is being transmitted over a network.

– Integrity: Prevent modification or tampering of ePHI data in transit

– Encryption: Encrypt ePHI whenever appropriate

BYOD Challenges the 5 Pillars of Security

TransmissionSecurity

Person or Entity

AuthenticationAudit ControlAccess Control Integrity

Difficult to audit mobile activity since doctors may share PHI with patients via email or text messaging apps

Every app may have different authentication methods; they may not support biometric or PIN/passcode methods

Mobile apps may not use stringent SSL ciphers or even encrypt data at all

IT must define distinct policies for different users, mobile apps and devices—a management nightmare

Controls must be applied to prevent accidental deletion or alteration of PHI from mobile devices

Risks of Uncontrolled Devices

Weak Encryption

No support for strong

authentication

Unpatched application

Stores PHI on phone

No auditing of user access

Unpatched phone OS

In violation of HIPAA compliance requirements

IT Management and Training

IT will likely need to help doctors install mobile apps

– They may also need to assist users through upgrades

If apps vary by device, IT will need to provide separate app training for Apple, Android, Microsoft or HTML5 users

Mobile Device Management Not Working

20% of enterprise BYOD programs will fail due

to MDM measures that are too restrictive.1

1 2014 MDM research report by ESG2 2014 Employee BYOD Survey by Zixcorp3 Gartner 2014 Mobility Predictions; original quote spelled out BYOD and MDM.

For IT TeamsFor Employees

43% worry that employers could

access personal data2

30% are concerned their employer

could control their personal device2

30% say MDM is

more difficult to use

than they anticipated1

VDI Isn’t the Solution for BYOD

Expensive

VDI Shortcomings

– Not designed for touch

– No multimedia redirection

– No access to camera, printer, video, GPS

Total cost for Microsoft VDI, Citrix, and hardware is $1,000+ per user1

Not designed for cellular edge, 3G networks

1 Microsoft Desktop OS $187 per user, Citrix $300/user

Requires High Bandwidth

Designed for Windows

Virtual Mobile Infrastructure

The Roadmap for Healthcare Security Requires…

Virtual Mobile Infrastructure (VMI)

VMI is a service that hosts mobile apps or full

operating systems on remote servers

Provide remote access to:

Android, Apple iOS and Windows Phone with client apps

Any HTML 5-enabled device

Centralize app management to:

Eliminate need to install and upgrade apps on every device

VMI Benefits for Healthcare Providers

Stop data loss by preventing users from downloading data to

their device

Lower IT costs by eliminating mobile app

management per device

Extend mobile access to all users and devices

with a HTML5 browser

Meet compliance by monitoring data access

SierraVMI Keeps PHI Data Safe

SierraVMI Shields Healthcare Data

4096-bit ECDHE Encryption

Dual factor authentication

SierraVMI:

• Records healthcare app access

• Stores app data securely in the data center

• IT can centrally upgrade mobile apps

Medical professional

SierraVMI Deployment

SierraVMI hosted in Secure Data Center

Authentication Server

Laptop

Tablet

Phone

Databases with PHI data

Mobile App Virtualization Architecture

Android VM Kernel

Multi-User Android RuntimeVMI Security

Gateway

PharmaApp

PatientMessaging

App

PHIApp

Clients

AuthenticationServer

Benefits Very high density

Apps can share resources like CPU

Easy to manage

No need for expensive storage

Firefall containerFirefall containerFirefall container

Monitor User and Application Activity

Dashboard of

system status

Detailed logs

of user activity

Geo-tracking

User Monitoring

Record user sessions for forensics

Allow adminsto view up to 8active sessions

Prevent Data Loss

Watermarking deters users from photographing screens

– Watermark all content including documents, video, pictures with no additional overhead

Anti-screen capture prevents users from taking screenshots

With VMI, no data is downloaded to the phone

– Users cannot copy and paste text

Strong Authentication

Prevent unauthorized access with:

– Client certificates

– One-time password (sent via text message)

– Restricting access based on geographic location

– Brute force login protection

Ensure only legitimate users access your data

Single Sign-on to Streamline Management

Integrate with LDAP, Active

Directory or SAML

Access email, calendar,

contacts, and business apps

without needing to re-

authenticate

Automate app provisioning

Reduce IT helpdesk calls due

to forgotten passwords

Improve user experience by

eliminating extra login steps

IT Cost ReductionDirectory Services Integration

Centralized data storage

Prevent data loss from device theft

Centralized patch management

Eliminate concerns of devices with vulnerable or unpatched software

Regularly scan Android server for viruses and vulnerabilities

Simplify and Secure Mobile App Management

SierraVMI Benefits for Healthcare

Compliance: Ensure privacy and prevent data loss

Security: Strong authentication, 4096-bit encryption

Scalability: High user density, high performance

www.sierraware.com

Click now to view SierraVMI