Mobile Device Mgmt Healthcare Whitepaper

LANDesk White Paper

Discover, Extend, Secure and Empower

Mobile Device Management for Healthcare

www.landesk.com2

LANDesk White Paper | Mobile Device Management for Healthcare

To the maximum extent permitted under applicable law, LANDesk assumes no liability whatsoever, and disclaims any express or implied warranty, relating to the sale and/or use of LANDesk products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any patent, copyright or other intellectual property right, without limiting the rights under copyright.

LANDesk retains the right to make changes to this document or related product specifications and descriptions, at any time, without notice. LANDesk makes no warranty for the use of this document and assumes no responsibility for any errors that can appear in the document nor does it make a commitment to update the information contained herein. For the most current product information, please visit www.landesk.com.

Copyright © 2012, LANDesk Software, Inc. and its affiliates. All rights reserved. LANDesk and its logos are registered trademarks or trademarks of LANDesk Software, Inc. and its affiliates in the United States and/or other countries. Other brands and names may be claimed as the property of others.

LSI-1017-EN 02/12 MS/BB/AZUU

3www.landesk.com


Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Daunting Challenges for Healthcare IT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

The Solution: Discover, Extend, Secure and Empower . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Policy, Tools and Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Mobile Device Management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

LANDesk Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

www.landesk.com4

IntroductionMobile devices have taken o! in healthcare organizations, where doctors and other medical sta! use smart phones and tablets to access everything from email to health reference materials, electronic health records, medical imaging, and patient survey applications. Mobile devices perform a host of medical, technical, and administrative functions, including communicating medical information to patients and families. "anks to the freedom and fast information access enabled by wireless communications, tablets have even begun to replace patient workstations for accessing and entering patient care information in IT healthcare applications.

A recent survey by Manhattan Research found that 75 percent of American physicians own some kind of Apple mobile device and 81 percent use some kind of smart phone—Apple or non-Apple—up from 72 percent the previous year.1 "irty percent of doctors use iPads to access EHRs (electronic health records), view radiology images, and communicate with patients. An additional 28 percent plan to buy an iPad within the next six months, according to the report. Other studies have found similar results among nurses and other healthcare employees and have linked use of mobile devices with job satisfaction.

"e bene#ts of mobile devices in healthcare are signi#cant. Healthcare professionals can collaborate and access information wherever and whenever the need arises, rather than having to wait to get to a conference room desk phone, PC, workstation, or #le cabinet. "e result is faster, often better decisions and more e$cient patient care.

As with business enterprises, healthcare institutions are undergoing the consumerization of IT. Rather than looking to IT for mobile devices and connectivity, healthcare professionals increasingly take their personal iPhones, iPads, and other mobile devices to work and expect to be able to use them freely in the medical care environment. Corporate-procured Blackberry smart phones and even workstations, laptops, and desktops are giving way to user-owned iPhones and iPads. With more and more medical schools integrating mobile devices into the curriculum as well, it’s likely that mobile device use in healthcare environments will continue to grow and job choice and satisfaction among younger health professionals will increasingly be tied partially to the use of the latest mobile technology.

1 Taking the Pulse U.S. Annual Market Research Study v11.0, Manhattan Research, May 4, 2011

Daunting Challenges for Healthcare ITMobile devices and platforms represent signi#cant challenges for healthcare IT, however. Regulations such as HIPAA and HITECH require healthcare organizations to take responsibility for managing, securing, and protecting con#dential patient information and for reporting any breaches that take place. "e consequences of a breach can be immense, including steep #nes and devastating publicity, not to mention the signi#cant costs incurred in understanding what was breached, who saw the data, risks, and remediation.

Unfortunately, without the right kind of guidance and management, personal mobile devices can cause absolute chaos when it comes to con#dentiality. Challenges include:

Asset Lifecycle Management—When users feel free to bring their own devices to work, it can be di$cult or sometimes impossible to discover, track, and secure them against the constantly changing threat landscape.

User Management—IT can’t depend on doctors and sta! to use their devices wisely, as many are ignorant of device security, privacy, and compliance risks, not to mention how to protect mobile devices and the information stored on them from hackers and theft.

Many unwittingly store con#dential information on their tablets or smart phones without any encryption or other form of protection, or use them to send and receive email and #le attachments containing sensitive information. Others use #le sharing applications such as DropBox to store and transmit information or unsecured personal email services that lie outside of the institution’s messaging and security infrastructure. Users may also take advantage of unsecured wireless WiFi connections in co!ee shops, hotels, and other environments to transmit information, not knowing that hackers regularly frequent these establishments to penetrate the devices of unwitting users.

Other hazards are caused by users unknowingly downloading malware-laden mobile applications, accessing infected Web sites, or using text messaging in ways that introduce malware into their devices or open doors for hackers to penetrate devices, networks, and centralized data stores.

Device Loss and !eft—Mobile device loss and theft, including those involving laptops, are the single greatest cause of data breaches at large healthcare organizations, far more common than hacking incidents.


5www.landesk.com

Platform Complexity—While servers, PCs, and laptops run on a few longstanding, seasoned operating systems familiar to IT, mobile devices run on a variety of newer, less seasoned operating systems, including iOS and Android. "e newness and openness of Android represents a particularly thorny security problem for IT, with Android devices under increasing attack in the past several months.

The Solution: Discover, Extend, Secure and EmpowerUnfortunately, simply forbidding or severely restricting mobile or personal devices in the work place is not an option for healthcare institutions if they seek to hire and retain younger, tech-savvy doctors and medical personnel or compete with their more technologically advanced cohorts. Not to mention that many employees are likely to bring in their mobile devices anyway and use them as they wish. Simply forbidding these devices makes it impossible to manage and secure them–and the information they contain.

Instead, the solution for most healthcare organizations today is to embrace their employees’ mobile devices and platforms and use the right combination of policy education and e!ective tools to manage, secure, and protect con#dential information.

In order to do so, IT needs to accomplish several tasks:

Know what you have—First, IT must have a clear picture of what mobile devices and mobile device platforms are used by employees. "is can be a di$cult task when workers bring in personal devices for both work and personal use. Most likely IT will need to meet with each department in the organization to get a feel for what devices are being used. It’s important to strike a positive attitude that lets users know that the goal is to embrace, empower, and secure mobile devices, not restrict them or punish their users.

Know how mobile devices are used—Are employees using their mobile devices to access organization email, electronic medical records, private patient information, patient surveys? Are they accessing personal email services, social networks, potentially insecure Web sites? Are they storing patient information on their devices? Are they downloading consumer applications? Do they have any awareness of the need for and ways to protect con#dential patient information on these devices? Are they using public WiFi services?

Know your data—What healthcare information must have maximum protection? Where is it stored, and how is it accessed? What data needs a medium level of protection? Who should have access to this data and who should not?

Know your infrastructure and its vulnerabilities—How does the organization protect con#dential information today? Where are the unique vulnerabilities posed by mobile devices and which of these are the most hazardous?

Know the risks—What are the overall and unique security risks of each mobile device platform? What are the risks of patient information breaches caused by storing user data on mobile devices, or by using personal email, public WiFi, or personal applications? What are the likely threats to your organization’s mobile devices and con#dential information? If a breach were to happen, what would the likely costs be to the organization? It’s important to factor in less tangible yet genuine costs such as damage to the institution’s reputation or remediation costs of a breach.

Policy, Tools, and EducationOnce IT has a handle on the use and risks of mobile platforms in the organization, the next step is to craft a strategy for mobile platform security and data protection.

Sometimes the best way to craft a strategy that balances the mobile needs of employees with the compliance, security, and data privacy needs of the organization is to form a mobile security strategy task force that includes representatives from IT, a!ected departments, and legal counsel.

Most e!ective mobile device security strategies consist of a combination of policy, education, and tools.

PolicyYour mobile security policy should integrate with your overall organizational security strategy. Organizations should already have policies in place that spell out which employees and employee roles are permitted access to which categories of information and what they are allowed to do with it, including emailing or sharing it digitally in other ways.

Your mobile security policy should add policies that spell out:

�Q Which mobile platforms, such as laptops, tablets, and smart phones, and which operating systems, such as iOS and Android, are permitted in the healthcare environment and who is permitted to use them.


www.landesk.com6


�Q Requirements for users to register their mobile devices with IT.

�Q What information if any can be stored on employees’ mobile devices and what protections such as passwords, encryption, VPNs, backup, etc. need to be implemented to protect this information.

�Q Rules for accessing the Web over mobile devices and downloading and using health and non-health related applications. Some organizations may want to publish a list of approved and unacceptable mobile applications or even provide their own organization app store where users can download new applications.

Users should also be put on notice to:

�Q Always keep mobile devices within their sight.

�Q Report device loss or theft to appropriate sta! immediately. Mobile device users are known to spend hours or even days trying to locate missing devices before reporting their loss.

�Q Never share their devices or device passwords with anyone else.

�Q Never connect to the corporate network or transmit healthcare information of any type over insecure WiFi networks without using virtual private networking or other tools that secure data in transit.

�Q Never transmit sensitive information over unsecured personal email or data sharing services, either in the form of text, attachments, or information cut and pasted from sensitive documents.

�Q Keep Bluetooth out of discovery mode when not in use.

�Q Understand that jailbroken smart phones or tablets will never be allowed in the organization.

IT should also have policies for locating and wiping lost or stolen mobile devices and protecting mobile devices from malware. As with any other IT assets, policies should be in place for addressing security when employees leave the organization.

EducationPolicy is not very useful if it’s not backed up with an e!ective employee education program. Mobile device users must be educated in depth about the security challenges posed by mobile devices in the work environment and proper measures they must take to address them. "ey should understand the hazards

of device loss and theft, data leakage, and malware, as well as the data security and privacy requirements and related penalties of HIPAA, HITECH, and any other relevant regulations.

It’s important to demonstrate in a tangible way just how damaging breaches can be by relating stories about organizations that have been breached and the actual devastating #nancial and other impacts of those breaches. Keep users aware of breaches that make the news. Make sure you repeat education on an ongoing basis and educate new employees and mobile platform users as soon as possible.

Users must also be educated at least annually about your organization’s mobile security policies and the user responsibilities spelled out by them, as well as any penalties that can result from disobeying security policies. If you don’t want users simply tuning out and doing as they please, make sure you balance this education with a positive attitude that recognizes users’ needs and the obvious bene#ts of mobile platforms.

Mobile Device Management ToolsPolicies must not only be spelled out, they must be enforced. Unfortunately, users tend to do things for the sake of convenience that run counter to your organization’s security policies. "at’s why it’s important to put the appropriate tools in place to enforce company policies and to discover, manage, and secure mobile platforms.

"e #rst line of defense in any environment incorporating mobile devices and platforms is an enterprise mobile device management (MDM) solution. MDM systems provide a host of tools for identifying, managing, and securing mobile platforms of all types and their users. Some of the features of an e!ective mobile device management platform include:

Discovery—"e ability to discover all mobile devices and platforms that connect to the corporate network and create a device inventory database that can be used to manage these platforms over their entire lifecycle. "e application should not permit users to connect their devices to the network or messaging systems until they are approved and properly registered with the MDM system. "e MDM system should be able to easily grandfather existing platforms as well.

Extended Hardware and Software Inventory—including memory, batteries, installed applications, policies, and network information.

7www.landesk.com


Mobile Platform Diversity—"e best mobile device management systems cover all the most popular mobile platforms and operating systems, including Blackberry, Apple, and Android tablets and smart phones, and can take advantage of each mobile platform’s native OS policies, security features, and other capabilities.

Easy Self Enrollment—Users are able to enroll with the network directory, such as Active Directory, and the MDM system themselves after which the system con#gures the user and device and implements appropriate security policies automatically. Some MDM systems provide access to a company app store, similar to Apple’s app store, where users can download a management agent and other approved applications and enroll without the help of IT.

Zero-Touch Management—"e ability to execute management functions, including software distribution, WiFi and messaging con#guration, and administrator updates across mobile platforms from a central console, without any need for physical access to the devices themselves.

Workforce Segmentation—based on user roles, responsibilities, and corporate policies, with appropriate control of access to corporate information, content, and applications based on these roles. "is MDM solutions element helps organizations implement a solution that is not a one-size-#ts-all model, allowing e!ective segmentation based on the role of the end user within your organization.

Self Service Application and Content Portal—Some MDM platforms o!er secure corporate portals that enable employees to access approved and in-house applications, as well as #les, videos, and other safe information and resources the organization desires to make available to mobile users. In environments that require the absolute highest level of con#dentiality, it’s useful for the MDM system to have the option of streaming all content to each device so that con#dential information is never stored there and susceptible to theft or loss.

Phone Location—"e ability to track and report device locations and provide a location history that can be useful in tracing the device in case of loss or theft.

Remote Lock, Password Reset, and Wipe—"e ability to automatically lock a lost or stolen device remotely and eliminate any sensitive information stored on it.

Remote Noti"cation—that can alert all device users to the availability of new resources and any required user actions through its own application portal.

Jailbreak and Rooting Detection—"e ability to detect jailbroken or rooted mobile devices to determine if the device is compliant, if any action should be taken, or any policies should be invoked.

A Controlled Browser—for launching links and limiting sites users can access based on corporate policy and security and compliance requirements.

Encryption—of any sensitive information in transit and at rest.

LANDesk AdvantagesSeveral MDM solutions are available on the market today, each with its own set of features and capabilities. LANDesk® Mobility Manager stands out as a market-leading solution from a software vendor that can boast 25 years of stability, experience, and IT systems management expertise controlling and managing desktops and laptops—and more recently the multiple mobile devices users increasingly carry.

LANDesk Mobility Manager o!ers the best of both worlds—the ability to apply discovery, inventory, security, and management capabilities to mobile devices from a single, easy-to-use console, while enabling IT to o!er self-service options to users within the LANDesk application portal. "is portal serves as a repository for apps, #les, videos, and other corporate resources that your users can access without submitting to, or resorting to the horizontal app stores such as iTunes and Android Marketplace. "is capability is essential to controlling and securing applications in a healthcare environment.

Organizations can use the same LANDesk console and database to manage smart phones and tablets that they use to manage desktops and laptops. "is level of integration translates into signi#cant total-cost-of-ownership advantages. According to IDC, the use of LANDesk as a comprehensive hardware and end-user management system can save more than $23,000 per 100 users per year.2

"ere’s no need for IT to develop a relationship with another management vendor and provide the requisite training and resources for an entirely new platform, with its own unique issues and quirks.

2 Gaining Business Value and ROI with LANDesk Software: Automated Change and Con!guration Management, IDC, January 2011

www.landesk.com8


As shown below, LANDesk Mobility Manager simply installs on top of a LANDesk Management Suite 9 core server, plus the addition of the cloud-facing components in the DMZ and the LANDesk mobile device management server. "e same, familiar console is used to manage the new devices.

Conclusion

Mobile device platforms in medical environments are here to stay given the advantages for patient care that are impossible to ignore. At the same time, patient privacy and con#dentiality requirements of HIPAA, HITECH, and other regulations present signi#cant challenges to the use of mobile platforms in a secure fashion that protects patient con#dentiality and ensures compliance.

Mobile Device Management platforms provide one of the principal ways to meet these challenges while empowering healthcare employees with all the convenience and patient care advantages today’s mobile platforms o!er. With LANDesk, the user is the endpoint, not the device. A user-centered, policy-based approach is more logical and far less cumbersome than a device-centered approach in today’s typical work environments where each user connects to the network with multiple devices.

LANDesk Mobility Manager provides a full-featured, integrated mobile platform management solution. Healthcare institutions can manage and secure all their users’ desktops, laptops, and mobile devices e!ectively for the lowest possible capital and operating costs.

Documents

Mobile Device Mgmt Healthcare Whitepaper