Rx for mthreats in Today s Healthcare Institutions. Daniel W. Berger, President and CEO, Redspin, Inc. P: E: dberger@redspin.

Transcription

1 Rx for mthreats in Today s Healthcare Institutions Daniel W. Berger, President and CEO, Redspin, Inc. P: E: dberger@redspin.com

2 Meaningful Healthcare IT Security Technical Expertise Penetration Testing Web Application Security HIPAA Risk Analysis Mobile/Wireless Security Security Awareness Training Healthcare Experience Conducted HIPAA Security Risk Analysis at ~100 hospitals in past 18 months Soon-to-be published paper: Is PHI Data Security Really Possible in a Mobile World?

3 The Mobility Explosion Devices and Connectivity As of Q1 2012, 50.4% of all U.S. wireless subscribers had a smartphone (Nielsen) Nearly 1/3 of mobile workers use more than 1 mobile device # of public Wi-Fi hotspots doubled in 2011 U.S. tablet users will double this year to ~70 million, about 29% of all internet users (emarketer)

4 The Mobility Explosion Applications and Trends access via mobile rose 36% in past year (Comscore) >500,000 apps in Apple Store, >200,000 in Android Marketplace Lots of cloud services Word documents, spreadsheets, PowerPoints, embedded cameras, JPG, video, etc. Smartphones and Tablets (lightweight O/S) will surpass desktop as primary user interface in enterprise computing by 2015 (Gartner) 80% of doctors use mobile devices, primarily smartphones and tablets (Float Mobile)

5 Social Connectivity: Anyone, Anywhere, Anytime Source: Frost & Sullivan

6 Evolutionary Change? What were once vices are now habits. - The Doobie Brothers

7 BYOD: HYPE OR REVOLUTION? Are your employees armed and dangerous? (They seem like such nice, well-meaning people)

8 Lots of Vendor Propaganda Publication The Ten Commandments of BYOD 10 Mobile Security Requirements for the BYOD Enterprise BYOD in Healthcare Organizations: Top 6 Risks & How to Avoid Them Addressing BYOD Security and Compliance through Mobile Risk Management How to Enable Secure Access for BYOD at Work Rogue Mobile Apps: Trends, Threat Review and Remedies for BYOD Challenge Strong Authentication: Transforming BYOD challenge to BYOD opportunity Vendor Fiberlink Accellion IBM Fixmo Dell SonicWall RiskIQ VASCO Data Security

9 BYOD Became an Olympic Sport

10 The Risks Are Real 37% of U.S. information workers are using BYOD at work before policies are in place Forrester Research, 1/11 46% increase in development of mobile device malicious software 80% of CIO s believe BYOD use increases a company s vulnerability to attack McAfee, 2/11 Ovum 11/10

11 The Threats Are Increasing Mobile Operating System Exploits Source: IBM X-Force Research and Development

12 The Curious Case of PHI

13 The Curious Case of PHI It s meant to be portable Lots of needs for legitimate access Priority is availability, integrity, confidentiality (not CIA) Once breached, nearly impossible to cure Breaches can have serious medical consequences, even life or death A 9% rise in use of smartphones by doctors resulted in a 32% rise in data breach (Manhattan Research, 12/11)

14 Security Crossroads

15 Secure Every Device?

16 Risk Your Career? "I told our CEO he should fire me if this doesn't work Dale Potter, CIO Ottawa Hospital

17 Put the Brakes On? Does Your Policy Allow Employees to Use Personal Mobile Devices for Work? some CIOs need to put the brakes on BYOD initiatives until they can get policies and education in place. State of Mobile Security, InformationWeek, May 2012

18 The Facts of (Mobile) Life Consumer devices are already at work. (Oh yes they are) Employees want to be able to use them for both personal use and work. (So ultimately they will) The risk is already here. (Like, yesterday)

19 We have met the enemy and he is us. - Pogo

20 BYOD Security Risk Analysis

21 Typical Network Security Policies

22 Securing the Data User authentication Encryption VPN Clients Secure /Text messaging Antivirus and Malware Sandboxing Lost or stolen phone/table (remote wipe) Mobile Device Management System - Config control (including security features) - Patch management - Control network use based on user privileges - Integrate into help desk

23 The New Paradigm User Centric Collaborative Device Centric Authoritative

24 Devices Aren t Mobile, Humans Are

25 Securing the People Policy Who s responsible? Legal? HR? IT? Security? Lack of precedence Involve users in creating policy Training All users need education on how to utilize a device on the network as part of a BYOD strategy Intel found 100% employees would accept behaviour modification and training in return for freedom to use devices IT employees also need training on how to deal with specific scenarios

26 Final Thoughts Resistance is Futile Compromise is Inevitable Managing Security = Reducing Risk People are the New Endpoints

27 Employee BYOD Use Survey (Free)