The Expert's View with Terrell Herzig

Mobile Device Security Tips for 2012 Practical Advice for Minimizing Risks
Mobile Device Security Tips for 2012

In the healthcare arena, 2011 has been a bad year for data breaches. A quick glance at the Department of Health and Human Services' "wall of shame" that lists major breaches makes it clear that there's been a disturbing rise in the exposure of protected health information. Further analysis of the data shows many of the incidents have involved the loss or theft of unencrypted portable devices, especially laptops, as well as portable storage media, such as backup tapes.

See Also: Secure Access in a Hybrid IT World

Most people want to do the right thing; they simply don't know what constitutes appropriate behavior. 

New portable computing devices appear on the market every month, and with them come new ways to access information and transport data. Those of you in IT - in healthcare as well as other business sectors - will report to work shortly after the holidays to find a stack of requests from staff members at your organization to integrate the new devices they received as gifts.

In the spirit of the season, reflecting on the past and looking forward to the future, let's review these devices and the opportunities they present. Reviewing a few reminders may help make the holiday season easier to enjoy by reducing the risk of using mobile devices.

Start With an Inventory

The first step is to identify the mobile devices in your organization and how they are being used. While not an easy process, it is a critical starting point. If you cannot determine what devices are being used and how they are being used, you cannot hope to manage them.

If you have your wireless environments locked down, your support desk will probably receive calls from individuals seeking to connect to your network. This can serve as a great source for identifying who is actively working with portable devices (or trying to bring new devices into the workplace).

If your organization provides mobile devices for workforce use, a quick inventory will help get this process rolling. Users seeking to carry files on the devices will try to sync them with their work computers. Proper tools and reports can extend your capability of identifying devices and how they are being used.

Build Use Cases

Once you have identified the types of mobile devices and have an idea for how they are currently being used, seek to understand how your customers intend to use them. View this as a good time to reach out to staff members to form work groups to build use cases. Building use cases will provide you with vital information to establish a minimum baseline for appropriate security controls. It will also help identify volunteers and opportunities to test the use cases you just identified.

Spend some time analyzing this data. It is invaluable for a variety of reasons. First, it helps you identify the different methods your customers will want to use when interfacing with mobile devices. Second, it provides insight into the different data needs of your community of users, and you can use this insight to better manage your data.

Finally, just as one device is incapable of solving all problems, no one set of security controls will adequately protect the device for all identified use cases. Well-defined use cases will provide valuable information to tailor security controls and ensure a better user experience with the device.

Importance of Education

With the above mentioned opportunities to engage staff members throughout your organization, don't forget to take advantage of the opportunity to educate staff. Many organizations underestimate the power of education when discussing security.

Everyone has read that the employee is the highest risk to the organization when it comes to information security. Ever wonder why? I won't debate the underlying psychology of what motivates people to be good or bad. I simply observe that most people want to comply with organizational policies and procedures. Most people want to do the right thing; they simply don't know what constitutes appropriate behavior.

Mobile devices are marketed to individuals as tools to organize their lives. A great deal of this life is spent in the work environment. Most people don't understand the ramifications of a lost or stolen device or how to get the most out of their devices. And they think that their organization's IT department or the manufacturer has already built the security into the device and its support structure.

Considering these factors, the end of the year is a perfect opportunity to educate our workforce and help them understand that information security officers are not layering security products on their devices in an effort to be a holiday Grinch who's reducing the effectiveness of the devices. We simply want to protect both our workforce and the organization against undue risk.

Terrell Herzig is information security officer at UAB Health System, Birmingham, Ala., where he also serves as HIPAA security officer. The system operates a 1,000-bed hospital plus numerous outpatient facilities.



About the Author

Terrell Herzig

Terrell Herzig

Former CISO, UAB Medicine

Herzig was a national expert on healthcare privacy and information security, mobile device security, and disaster recovery. At UAB he headed a team of security specialists at the delivery system, which includes a 1,000-bed hospital and numerous outpatient facilities throughout the state. During his tenure at UAB, he has served as director of Information Technology for the Civitan International Research Center and director of Informatics for the Pittman General Clinical Research Center. Mr. Herzig has also consulted on numerous informatics projects with external groups, including Southern Nuclear and the US Army Medical Command. He is editor the book, "Information Security in Healthcare: Managing Risk," published by the Healthcare Information and Management Systems Society.