rx for mthreats in today’s healthcare institutions
TRANSCRIPT
Daniel W. Berger, President and CEO, Redspin, Inc.P: 805.576.7158 E: [email protected]
Rx for mThreats
in Today’s Healthcare Institutions
Healthcare Experience
• Conducted HIPAA Security Risk Analysis at ~100 hospitals in past 18 months
• Soon-to-be published paper: “Is PHI Data Security Really Possible in a Mobile World?”
Meaningful Healthcare IT Security ®
Technical Expertise
• Penetration Testing• Web Application Security• HIPAA Risk Analysis• Mobile/Wireless Security• Security Awareness
Training
The Mobility Explosion
• As of Q1 2012, 50.4% of all U.S. wireless subscribers had a smartphone (Nielsen)
• Nearly 1/3 of mobile workers use more than 1 mobile device • # of public Wi-Fi hotspots doubled in 2011• U.S. tablet users will double this year to ~70 million, about 29%
of all internet users (eMarketer)
Devices and Connectivity
The Mobility Explosion
• Email access via mobile rose 36% in past year (Comscore)
• >500,000 apps in Apple Store, >200,000 in Android Marketplace
• Lots of cloud services
• Word documents, spreadsheets, PowerPoints, embedded cameras, JPG, video, etc.
• “Smartphones and Tablets (lightweight O/S) will surpass desktop as primary user interface in enterprise computing by 2015” (Gartner)
• “80% of doctors use mobile devices, primarily smartphones and tablets (Float Mobile)
Applications and Trends
Social Connectivity: Anyone, Anywhere, Anytime
Source: Frost & Sullivan
Evolutionary Change?
“What were once vices are now habits.”- The Doobie Brothers
BYOD: HYPE OR REVOLUTION?Are your employees armed and dangerous?(They seem like such nice, well-meaning people)
Lots of Vendor Propaganda
Publication VendorThe Ten Commandments of BYOD Fiberlink
10 Mobile Security Requirements for the BYOD Enterprise
Accellion
BYOD in Healthcare Organizations: Top 6 Risks & How to Avoid Them
IBM
Addressing BYOD Security and Compliance through Mobile Risk Management
Fixmo
How to Enable Secure Access for BYOD at Work Dell SonicWall
Rogue Mobile Apps: Trends, Threat Review and Remedies for BYOD Challenge
RiskIQ
Strong Authentication: Transforming BYOD challenge to BYOD opportunity
VASCO Data Security
BYOD Became an Olympic Sport
The Risks Are Real
37% of U.S. information workers are using BYOD at work before policies are in place
– Forrester Research, 1/11
46% increase in development of mobile device malicious software
– McAfee, 2/11
80% of CIO’s believe BYOD use increases a company’s vulnerability to attack
– Ovum 11/10
The Threats Are Increasing
Source: IBM X-Force Research and Development
Mobile Operating System Exploits2006-2011
The Curious Case of PHI
• It’s meant to be portable• Lots of needs for legitimate access• Priority is availability, integrity, confidentiality (not CIA)• Once breached, nearly impossible to cure• Breaches can have serious medical consequences, even
life or death • A 9% rise in use of smartphones by doctors resulted in a
32% rise in data breach (Manhattan Research, 12/11)
The Curious Case of PHI
Security Crossroads
Secure Every Device?
"I told our CEO he should fire me if this doesn't work”Dale Potter, CIO Ottawa Hospital
Risk Your Career?
Does Your Policy Allow Employees to Use Personal Mobile Devices for Work?
“… some CIOs need to put the brakes on BYOD initiatives until they can get policies and education in place.”
“State of Mobile Security,” InformationWeek, May 2012
Put the Brakes On?
The Facts of (Mobile) Life
• Consumer devices are already at work. (Oh yes they are)
• Employees want to be able to use them for both personal use and work. (So ultimately they will)
• The risk is already here. (Like, yesterday)
“We have met the enemy and he is us.” - Pogo
BYOD Security Risk Analysis
Typical Network Security Policies
Securing the Data
• User authentication• Encryption• VPN Clients• Secure Email/Text messaging• Antivirus and Malware• Sandboxing• Lost or stolen phone/table (remote wipe)• Mobile Device Management System
- Config control (including security features)- Patch management- Control network use based on user privileges- Integrate into help desk
The New Paradigm
User Centric
Device Centric
Collaborative
Authoritative
Devices Aren’t Mobile, Humans Are
Securing the People
• Who’s responsible? Legal? HR? IT? Security?
• Lack of precedence
• Involve users in creating policy
• All users need education on how to utilize a device on the network as part of a BYOD strategy
• Intel found 100% employees would accept behaviour modification and training in return for freedom to use devices
• IT employees also need training on how to deal with specific scenarios
Policy
Training
Final Thoughts
• Resistance is Futile
• Compromise is Inevitable
• Managing Security = Reducing Risk
• People are the New Endpoints
Employee BYOD Use Survey (Free)
http://mobile.redspin.com