Rx for mthreats in Today s Healthcare Institutions Daniel W. Berger, President and CEO, Redspin, Inc. P: 805.576.7158 E: dberger@redspin.com
Meaningful Healthcare IT Security Technical Expertise Penetration Testing Web Application Security HIPAA Risk Analysis Mobile/Wireless Security Security Awareness Training Healthcare Experience Conducted HIPAA Security Risk Analysis at ~100 hospitals in past 18 months Soon-to-be published paper: Is PHI Data Security Really Possible in a Mobile World?
The Mobility Explosion Devices and Connectivity As of Q1 2012, 50.4% of all U.S. wireless subscribers had a smartphone (Nielsen) Nearly 1/3 of mobile workers use more than 1 mobile device # of public Wi-Fi hotspots doubled in 2011 U.S. tablet users will double this year to ~70 million, about 29% of all internet users (emarketer)
The Mobility Explosion Applications and Trends Email access via mobile rose 36% in past year (Comscore) >500,000 apps in Apple Store, >200,000 in Android Marketplace Lots of cloud services Word documents, spreadsheets, PowerPoints, embedded cameras, JPG, video, etc. Smartphones and Tablets (lightweight O/S) will surpass desktop as primary user interface in enterprise computing by 2015 (Gartner) 80% of doctors use mobile devices, primarily smartphones and tablets (Float Mobile)
Social Connectivity: Anyone, Anywhere, Anytime Source: Frost & Sullivan
Evolutionary Change? What were once vices are now habits. - The Doobie Brothers
BYOD: HYPE OR REVOLUTION? Are your employees armed and dangerous? (They seem like such nice, well-meaning people)
Lots of Vendor Propaganda Publication The Ten Commandments of BYOD 10 Mobile Security Requirements for the BYOD Enterprise BYOD in Healthcare Organizations: Top 6 Risks & How to Avoid Them Addressing BYOD Security and Compliance through Mobile Risk Management How to Enable Secure Access for BYOD at Work Rogue Mobile Apps: Trends, Threat Review and Remedies for BYOD Challenge Strong Authentication: Transforming BYOD challenge to BYOD opportunity Vendor Fiberlink Accellion IBM Fixmo Dell SonicWall RiskIQ VASCO Data Security
BYOD Became an Olympic Sport
The Risks Are Real 37% of U.S. information workers are using BYOD at work before policies are in place Forrester Research, 1/11 46% increase in development of mobile device malicious software 80% of CIO s believe BYOD use increases a company s vulnerability to attack McAfee, 2/11 Ovum 11/10
The Threats Are Increasing Mobile Operating System Exploits 2006-2011 Source: IBM X-Force Research and Development
The Curious Case of PHI
The Curious Case of PHI It s meant to be portable Lots of needs for legitimate access Priority is availability, integrity, confidentiality (not CIA) Once breached, nearly impossible to cure Breaches can have serious medical consequences, even life or death A 9% rise in use of smartphones by doctors resulted in a 32% rise in data breach (Manhattan Research, 12/11)
Security Crossroads
Secure Every Device?
Risk Your Career? "I told our CEO he should fire me if this doesn't work Dale Potter, CIO Ottawa Hospital
Put the Brakes On? Does Your Policy Allow Employees to Use Personal Mobile Devices for Work? some CIOs need to put the brakes on BYOD initiatives until they can get policies and education in place. State of Mobile Security, InformationWeek, May 2012
The Facts of (Mobile) Life Consumer devices are already at work. (Oh yes they are) Employees want to be able to use them for both personal use and work. (So ultimately they will) The risk is already here. (Like, yesterday)
We have met the enemy and he is us. - Pogo
BYOD Security Risk Analysis
Typical Network Security Policies
Securing the Data User authentication Encryption VPN Clients Secure Email/Text messaging Antivirus and Malware Sandboxing Lost or stolen phone/table (remote wipe) Mobile Device Management System - Config control (including security features) - Patch management - Control network use based on user privileges - Integrate into help desk
The New Paradigm User Centric Collaborative Device Centric Authoritative
Devices Aren t Mobile, Humans Are
Securing the People Policy Who s responsible? Legal? HR? IT? Security? Lack of precedence Involve users in creating policy Training All users need education on how to utilize a device on the network as part of a BYOD strategy Intel found 100% employees would accept behaviour modification and training in return for freedom to use devices IT employees also need training on how to deal with specific scenarios
Final Thoughts Resistance is Futile Compromise is Inevitable Managing Security = Reducing Risk People are the New Endpoints
Employee BYOD Use Survey (Free) http://mobile.redspin.com