In the healthcare arena, 2011 has been a bad year for data breaches. A quick glance at the Department of Health and Human Services' "wall of shame" that lists major breaches makes it clear that there's been a disturbing rise in the exposure of protected health information. Further analysis of the data shows many of the incidents have involved the loss or theft of unencrypted portable devices, especially laptops, as well as portable storage media, such as backup tapes.
See Also: Secure Access in a Hybrid IT World
Most people want to do the right thing; they simply don't know what constitutes appropriate behavior.
New portable computing devices appear on the market every month, and with them come new ways to access information and transport data. Those of you in IT - in healthcare as well as other business sectors - will report to work shortly after the holidays to find a stack of requests from staff members at your organization to integrate the new devices they received as gifts.
In the spirit of the season, reflecting on the past and looking forward to the future, let's review these devices and the opportunities they present. Reviewing a few reminders may help make the holiday season easier to enjoy by reducing the risk of using mobile devices.
Start With an Inventory
The first step is to identify the mobile devices in your organization and how they are being used. While not an easy process, it is a critical starting point. If you cannot determine what devices are being used and how they are being used, you cannot hope to manage them.
If you have your wireless environments locked down, your support desk will probably receive calls from individuals seeking to connect to your network. This can serve as a great source for identifying who is actively working with portable devices (or trying to bring new devices into the workplace).
If your organization provides mobile devices for workforce use, a quick inventory will help get this process rolling. Users seeking to carry files on the devices will try to sync them with their work computers. Proper tools and reports can extend your capability of identifying devices and how they are being used.
Build Use Cases
Once you have identified the types of mobile devices and have an idea for how they are currently being used, seek to understand how your customers intend to use them. View this as a good time to reach out to staff members to form work groups to build use cases. Building use cases will provide you with vital information to establish a minimum baseline for appropriate security controls. It will also help identify volunteers and opportunities to test the use cases you just identified.
Spend some time analyzing this data. It is invaluable for a variety of reasons. First, it helps you identify the different methods your customers will want to use when interfacing with mobile devices. Second, it provides insight into the different data needs of your community of users, and you can use this insight to better manage your data.
Finally, just as one device is incapable of solving all problems, no one set of security controls will adequately protect the device for all identified use cases. Well-defined use cases will provide valuable information to tailor security controls and ensure a better user experience with the device.
Importance of Education
With the above mentioned opportunities to engage staff members throughout your organization, don't forget to take advantage of the opportunity to educate staff. Many organizations underestimate the power of education when discussing security.
Everyone has read that the employee is the highest risk to the organization when it comes to information security. Ever wonder why? I won't debate the underlying psychology of what motivates people to be good or bad. I simply observe that most people want to comply with organizational policies and procedures. Most people want to do the right thing; they simply don't know what constitutes appropriate behavior.
Mobile devices are marketed to individuals as tools to organize their lives. A great deal of this life is spent in the work environment. Most people don't understand the ramifications of a lost or stolen device or how to get the most out of their devices. And they think that their organization's IT department or the manufacturer has already built the security into the device and its support structure.
Considering these factors, the end of the year is a perfect opportunity to educate our workforce and help them understand that information security officers are not layering security products on their devices in an effort to be a holiday Grinch who's reducing the effectiveness of the devices. We simply want to protect both our workforce and the organization against undue risk.
Terrell Herzig is information security officer at UAB Health System, Birmingham, Ala., where he also serves as HIPAA security officer. The system operates a 1,000-bed hospital plus numerous outpatient facilities.