= AUDIO. The Importance of Mobile Device Management in HIT. An Important Reminder. Mission of OFMQ 12/9/2015

Transcription

1 The Importance of Mobile Device Management in HIT Mario Cruz OFMQ Chief Information Officer An Important Reminder For audio, you must use your phone: Step 1: Call (866) Step 2: Enter code #. Step 3: Mute your phone!!! = AUDIO 2 Mission of OFMQ OFMQ is a not for profit, consulting company dedicated to advancing healthcare quality. Since 1972, we ve been a trusted resource through collaborative partnerships and hands on support to healthcare communities. 1

2 OFMQ Areas of Expertise Analytics Case Review Education IT Consulting Health Information Technology National Quality Measures Quality Improvement HIT Service Lines Security Risk Assessment Level 1, 2, and 3 Meaningful Use Assistance Meaningful Use Audit Support Risk Management Consulting and Development Staff IT Security Training Website Development & Secure IT Consulting Mario Cruz Mario is the Chief Information Officer at OFMQ and has more than 15 years of IT experience in applications development and engineering, systems architecture, Mario has extensive expertise in IT Security and has conducted and participated in multiple FISMA security audits. Currently, he provides HIPAA and IT Security consultative services for various Healthcare Providers throughout the region and serves as technical lead for various organizational healthcare initiatives. 2

3 Topics Statistics Mobile Device Uses, Risks, and Value Protecting Mobile Devices Mobile Device Management Options Action Items Interesting Statistics 2/3 of Americans utilize a smartphone (PEW) 97% of mobile apps have access to private data without appropriate security (Symantec) 60% of malware attacks targeted small and medium sized businesses (Symantec) Mobile device exploits make up a small percentage of recorded incidents (Verizon) Top Causes of Data Breach 3

4 Healthcare Breach Statistics Between 2010 and 2014, 68% of data breaches were a result of device theft or loss (Bitglass) As of (HHS) 242 reported breaches affecting 500+ individuals 58 (24%) of those involved a laptop or other portable electronic device 2 of 5 breaches involving Oklahoma healthcare providers were the result of a lost/stolen laptop Over 120 Million Records account for 68% of all records breached across all industries (ITRC) What are Mobile Devices? Any device that is taken offsite that has the capability of storing and/or transmitting information Laptops Tablets Phones/Smart Phones Flash Drives Recording Devices How are They Used in Healthcare? Communication with clinical staff Direct access to EHR Direct access to clinical tools & resources Generation and capture of reports Personal Use Facebook Pinterest News 4

5 What are the Risks? Volume of Data Available on Devices Type of Data Available on Devices Demand and Value of PHI Ease of Loss and Theft Demand and Value of Devices Lack of Default Controls for Protection How is Information Extracted? Direct access to device memory Connect device like a USB stick Connect device as hard drive using over the counter products Software & Free Utilities Free software to access deleted items Free software to crack device passcodes Free software to bypass security mechanisms How is Information Used? Identity Theft Obtain Credit File False Tax Returns Submit False Claims Obtain Prescriptions Impersonation in other Countries Extortion 5

6 What is Health Data Worth? Worth times more than a credit card (Reuters) Great Return on Investment Info can be used repeatedly Single chart worth as much as $50 (FBI Notification) Compare to Credit card number with one time use at a black market price as low as $0.99 Protecting Mobile Devices Encrypt #1 simplest safeguard to implement In most cases, encrypted devices do not require breach notification if lost/stolen. Strong Password Protect Require passcode on all mobile devices Require password for device entry access Require password for secure software access Utilize Layered Protection Device firewalls Antivirus Antimalware Tracking software Remote erase Auto erase Protecting Laptops Utilize Full Disk Encryption McAfee, Sophos, Symantec, CheckPoint, BitLocker Password Protect BIOS Utilize Strong Passwords 8 character (Uppercase, Lowercase, Number, Special Character) Minimum Utilize Antivirus, Anti Malware, Firewall Do not utilize an account with Administrator level rights Utilize Remote Management Software MaaS360, Airwatch, Enterprise Management Software Utilize Recovery Software LoJack, GadgetTrak 6

7 Protecting Smartphones Require Passcode Utilize Encryption Built in to many devices + 3 rd party apps Use Secure Messaging Apps TigerText, EHR Apps, Spok, qliqsoft Utilize Mobile Device Management Software Utilize AV Software Not all devices supported Don t Text about Patients Protecting Portable Storage Devices/Voice Recorders Utilize Encrypted Flash Drives Iron Key, Kingston Data Traveler, Imation Defender Enable Auto Erase Features Utilize Strong Passwords 12 character (Uppercase, Lowercase, Number, Special Character) Minimum Utilize Encrypted Digital Recorders Encrypt Contents Prior to Transport Mobile Device Management Software designed to centrally manage devices Provides tools to establish baseline configurations Passcodes, Encryption, Restrictions, Applications, etc. Provides tools for remote administration Tracking, Erasing, Communication, Support, Application Administration Provides assurance of configuration and security Provides baseline security 7

8 Mobile Device Management OEM Apple Apple Configurator Apple only Free Small Business Solution Small Number of Devices Limited Functionality Manual Tool Set passcode, restrictions, enable/disable features, , and apps Limited Remote Management Relatively Easy to Use Android Mobile Management Android for Work Google Apps Free to Google Apps Users (Paid Service) Wide support for a variety of devices Set passcode, restrictions, enable/disable features, , and apps Full Remote Administration and Management Requires some IT Know how Mobile Device Management Mail Server Options Exchange/Office 365 ActiveSync Built in tools for free management of devices Configure minimum requirements for accessing corporate resources (mail, contacts, calendar) Enforce Encryption, Passcode Policies, Remote Wipe/Administration(limited) Technically Free Google Mobile Management Similar to ActiveSync Set passcode, restrictions, enable/disable features, , and apps Full Remote Administration and Management Requires some IT Know how Free to Google Apps Users Mobile Device Management 3 rd Party Solutions Subscription base solutions pricing per device Full management, tracking, and remote administration of devices Control apps, content, real time tracking, wiping, and configuration Free $10 per device depending on functionality Most are Cloud based Can get extremely granular Vendors include MaaS360, AirWatch, MobileIron, Good, Sophos, Blackberry, Dell, Miradore, Meraki 8

9 Action Items Encrypt All Mobile Devices Utilize Remote Management Tools Enforce Strong Password Policies Account for all Personal & Corporate Devices Reduce Risk in Organization Document your Mobile Device Policies Follow the Trend Contact OFMQ for More Information Questions? We Are Here To Help! Call: (405) Visit: Free HIT Workshops HIT Workshop #2 Jan 19, 2016 Tulsa Tech Conf Center Owasso Campus HIT Workshop #3 March 2, 2016 Ardmore Convention Center Register at webex 9

10 Thank you! 10