McAfee Enterprise Mobility Management



Similar documents
McAfee Enterprise Mobility Management Versus Microsoft Exchange ActiveSync

McAfee Enterprise Mobility Management

Symantec Mobile Management 7.1

REGULATIONS AND COMPLIANCE FOR ENTERPRISE MOBILE HEALTH APPLICATIONS

Ensuring the security of your mobile business intelligence

iphone in Business Security Overview

Symantec Mobile Management for Configuration Manager 7.2

Regulations and compliance for enterprise mhealth applications

Symantec Mobile Management 7.1

Symantec Mobile Management 7.2

ipad in Business Security

The User is Evolving. July 12, 2011

Deploying iphone and ipad Security Overview

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

BlackBerry Enterprise Solution v4.1 For Microsoft Exchange Life is now

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

HIPAA Security Alert

When enterprise mobility strategies are discussed, security is usually one of the first topics

Cisco Mobile Collaboration Management Service

Symantec Mobile Management 7.2

Athena Mobile Device Management from Symantec

IBM Endpoint Manager for Mobile Devices

APPENDIX B1 - FUNCTIONALITY AND INTEGRATION REQUIREMENTS RESPONSE FORM FOR A COUNTY HOSTED SOLUTION

Ensuring the security of your mobile business intelligence

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

How To Use A Microsoft Mobile Security Software For A Corporate Account On A Mobile Device

Protecting Criminal Justice Information: Achieving CJIS Compliance on Mobile Devices

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Symantec Mobile Management Suite

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA Compliance and Wireless Networks

CHIS, Inc. Privacy General Guidelines

White Paper. Support for the HIPAA Security Rule PowerScribe 360

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Support for the HIPAA Security Rule

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Encryption Made Simple

SOLUTION CARD WHITE PAPER. What is Fueling BYOD Adoption? Mobile Device Accountability and Control

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Technology Blueprint. Enforce Security on Smartphones + Tablets. Protect the business while allowing personally-owned devices to access the network

Mobile Device Management for CFAES

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

How To Buy Nitro Security

Achieving HIPAA Compliance with Red Hat

How To Secure An Rsa Authentication Agent

Mobile Medical Devices and BYOD: Latest Legal Threat for Providers

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Achieving HIPAA Compliance with Red Hat

Mobile Workforce. Connect, Protect, and Manage Mobile Devices and Users with Junos Pulse and the Junos Pulse Mobile Security Suite.

1. What are the System Requirements for using the MaaS360 for Exchange ActiveSync solution?

GOOD PRACTICE GUIDE 13 (GPG13)

Deploy secure, corporate access for mobile device users with the Junos Pulse Mobile Security Suite

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

HIPAA Compliance Review Analysis and Summary of Results

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

PMDP is simple to set up, start using, and maintain

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

SECURING TODAY S MOBILE WORKFORCE

Deploying iphone and ipad Mobile Device Management

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

ForeScout MDM Enterprise

How To Manage A Mobile Device Management (Mdm) Solution

HIPAA Security. assistance with implementation of the. security standards. This series aims to

The Impact of HIPAA and HITECH

FileCloud Security FAQ

The ForeScout Difference

HIPAA and Cloud IT: What You Need to Know

Department of Health and Human Services OFFICE OF INSPECTOR GENERAL

HIPAA Security Series

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

The Challenge. The Solution. Achieve Greater Employee Productivity & Collaboration...while Protecting Critical Business Data

Why Digital Certificates Are Essential for Managing Mobile Devices

Supplier Information Security Addendum for GE Restricted Data

company policies are adhered to and all parties (traders,

ONE Mail Direct for Mobile Devices

How To Write A Health Care Security Rule For A University

SAS 70 Type II Audits

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

System Security Policy Management: Advanced Audit Tasks

The iphone as a Medical Device

How To Achieve Pca Compliance With Redhat Enterprise Linux

PCI DSS COMPLIANCE DATA

Mobile Admin Security

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Systems Manager Cloud Based Mobile Device Management

Vodafone Global Enterprise Deploy the Apple iphone across your Enterprise with confidence

"Secure insight, anytime, anywhere."

iphone in Business How-To Setup Guide for Users

Insert Partner logo here. Financial Mobility Balancing Security and Success

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Transcription:

McAfee Enterprise Mobility Management Providing mobile application enablement and HIPAA security compliance

Table of Contents HIPAA and ephi 3 Overview of 3 HIPAA Compliance for Remote Access 4 Table 1. CMS Guidance for HIPAA Security Compliance 4 Sample Security Policy 6 Table 2. Best-Practice Policies to Protect ephi 6 Large-Scale Implementations 9 Conclusion 9

Increasingly, intelligent mobile devices like the Apple iphone and Apple ipad are being used by healthcare organizations to deliver real-time information at the point of care. Physicians and other healthcare workers are using a variety of apps (for example, webbased, from the Apple App Store, and custom) to help them reference drugs, track patient status, gain access to patient records, and manage their hectic schedules. For healthcare IT, this means that mobile data protection for handheld mobile devices is no longer just about email. Device and data protection requires the use of data center facilities to treat mobile devices like laptops, meaning the protection of all forms of Electronic Protected Health Information (ephi) on the entire device. HIPAA and ephi Concerned by high-profile security breaches involving ephi and driven by the recent expansion of the HIPAA (Health Insurance Portability and Accountability Act) Security Rule by the HITECH act, the Department of Health and Human Services (HHS) is ratcheting up its audits of covered health care entities and business associates for HIPAA compliance. The Centers for Medicare and Medicaid Services (CMS), which oversees HIPAA Security Rule enforcement, has published the HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information to help organizations determine the best way to protect ephi available to mobile device users. In this white paper, McAfee shows how to implement the CMS recommendations using the McAfee Enterprise Mobility Management (McAfee EMM ) solution for mobile device security and protection. McAfee has helped numerous large healthcare organizations manage and secure their mobile deployments. This white paper combines the proven best practices of our customers with the guidance of the CMS to help healthcare organizations learn how to harness the latest mobile technologies securely to deliver the best possible care to their patients. Overview of McAfee believes that IT can leverage the native capabilities of mobile devices like the iphone and ipad with existing mission-critical applications and infrastructure to deliver laptop-like capabilities that fit in the pocket of the healthcare worker. The McAfee approach enables the use of mobile devices for a variety of healthcare purposes while also simplifying compliance with the HIPAA Security Rule. Within the corporate network, McAfee EMM leverages existing IT services, such as Microsoft Active Directory and strong authentication, to ensure a secure mobile environment. McAfee EMM protects the enterprise network and enterprise applications by ensuring that mobile devices are compliant with enterprise policies, for example, not permitting jailbroken or modified devices to enter the corporate network. McAfee EMM secures and manages the whole device, including all applications, data, configurations, and credentials. In addition, the McAfee EMM security umbrella supports multiple application frameworks, including web-based applications and thick apps written for the native operating system (OS) software development kit (SDK). McAfee EMM leverages Apple and third-party investments in user interface and applications to provide the best possible user experience while keeping pace with OS innovations. Leveraging the native capabilities of the mobile device has operational and compliance benefits. For example, McAfee EMM supports an administrative push wipe to securely delete all or some information on the whole device in a way that is also verifiable for auditing purposes. This feature, and others, provides healthcare IT with a robust and comprehensive solution for HIPAA security compliance. 3

HIPAA Compliance for Remote Access The CMS has published the HIPAA Security Guidance for Remote Use of and Access to Electronic Protected Health Information to guide your implementation of mobile security. Many of the key suggestions are outlined in Table 1, along with the McAfee EMM feature that best supports the recommendations. The table also highlights two areas of concern that HHS will review during a compliance audit: remote access of ephi and remote storage of ephi. In the first two columns, the CMS has identified possible risks associated with remote use of ephi and possible strategies for mitigation. The third column identifies the McAfee EMM feature, or set of features, that can be used to implement the CMS risk management strategies. Table 1. CMS Guidance for HIPAA Security Compliance Access Risk Possible Risk Management Strategies McAfee EMM Feature Logon/password information is lost or stolen, resulting in potential unauthorized or improper access to or inappropriate viewing or modification of ephi Employees accessing ephi when not authorized to do so while working off site Home or other offsite workstations left unattended, risking improper access to ephi Implement two-factor authentication for granting remote access to systems that contain ephi. This process requires factors beyond general usernames and passwords to gain access to systems (for example, requiring users to answer a security question, such as favorite pet s name ). Implement a technical process for creating unique user names and performing authentication when granting remote access to a workforce member. This may be done using Remote Authentication Dial-In User Service (RADIUS) or similar tools. Develop and employ proper clearance procedures and verify training of workforce members prior to granting remote access Establish remote access roles specific to applications and business requirements Different remote users may require different levels of access based on job function Ensure that the issue of unauthorized access of ephi is appropriately addressed in the required sanction policy Establish appropriate procedures for session termination (time-out) on inactive portable or remote devices. Covered entities can work with vendors to deliver systems or applications with appropriate defaults. The McAfee EMM solution includes strong authentication with the ability to policy manage password complexity, expiration, re-use (history) and failure thresholds, and associated penalties Strong or two-factor authentication for access to internal applications and services requires a VPN using client certificates or a one-time-password solution, such as RSA SecurID. This may be problematic for email, since push email via Microsoft ActiveSync is not possible with RSA SecurID and has very poor performance and battery life under a VPN. McAfee EMM provisions secure sockets layer (SSL) client certificates to mobile devices, providing push email with strong authentication and no performance or battery impact. The McAfee EMM permits only authorized mobile devices to access the IT network. Authorization is driven by group membership in Active Directory or other lightweight directory access protocol (LDAP)-based directory services. McAfee delivers seamless integration with Active Directory and simplifies user management with group-based policies and authorization-based device activation McAfee EMM automatically detects changes to things like the iphone Configuration Profiles and other device status, automatically enforcing compliance without any IT administrative involvement. Compliance reporting provides audit evidence. Using McAfee EMM, the amount of time a mobile device can be idle before invoking the power-on password is configurable in the password policy 4

Table 1. CMS Guidance for HIPAA Security Compliance (continued) Access Risk Possible Risk Management Strategies McAfee EMM Feature Contamination of systems by a virus introduced from an infected external device used to gain remote access to systems that contain ephi Laptop or other portable device is lost or stolen, resulting in potential unauthorized/improper access to or modification of ephi housed or accessible through the device Use of external device to access corporate data, resulting in the loss of operationally critical ephi on the remote device Loss or theft of ephi left on devices after inappropriate disposal by the organization Install personal firewall software on all laptops that store or access ephi or connect to networks on which ephi is accessible Install, use, and regularly update virus protection software on all portable or remote devices that access ephi Identify the types of hardware and electronic media that must be tracked, such as hard drives, magnetic tapes or disks, optical disks or digital memory cards, and security equipment, and develop inventory control systems Implement a process for maintaining a record of the movements of, and person(s) responsible for or permitted to use hardware and electronic media containing ephi Require use of lock-down or other locking mechanisms for unattended laptops Password protect files Password protect all portable or remote devices that store ephi Require that all portable or remote devices that store ephi employ encryption technologies of the appropriate strength Develop processes to ensure appropriate security updates are deployed to portable devices, such as smartphones and PDAs Consider the use of biometrics, such as fingerprint readers, on portable devices Develop processes to ensure backup of all ephi entered into remote systems Deploy policy to encrypt backup and archival media Ensure that policies direct the use of encryption technologies of the appropriate strength Establish ephi deletion policies and media disposal procedures. At a minimum, this involves complete deletion, via specialized deletion tools, of all disks and backup media prior to disposal. For systems at the end of their operational lifecycle, physical destruction may be appropriate. Jailbroken or modified mobile devices like the iphone disable the native capabilities that protect against this threat. McAfee EMM detects jailbroken mobile devices and prevents them from accessing IT services and corporate data. Using McAfee EMM: Compliance reporting by IT administrators is enabled to identify mobile devices accessing ephi remotely Compliance reporting and enforcement tracks user compliance with security policies and prevents noncompliant access of ephi Compliance enforcement ensures the mandatory use of mobile devices with always-on encryption, configured with power-on password for full data protection of ephi, regardless of the source application (email, thin app, proprietary thick app) In addition, compliance is enforced on every transaction, in real time, without any burden on the IT administrator. McAfee EMM automatically detects changes to iphone Configuration Profiles and other device status, automatically enforcing compliance. Compliance issues are remediated with automated, over-the-air (OTA) provisioning and management to deliver security policies and settings Reporting provides real-time snapshot of user compliance for auditing purposes McAfee EMM simplifies the configuration of WiFi and VPN to facilitate the backup of ephi stored on mobile devices via application servers McAfee EMM is able to deliver a remote push wipe of the entire device to ensure that ephi is removed from the mobile device if it is lost or removed from service. In addition to device data, access configurations and credentials are removed to protect the integrity of the data center network. The wipe of the device is verifiable for auditing purposes 5

Table 1. CMS Guidance for HIPAA Security Compliance (continued) Access Risk Possible Risk Management Strategies McAfee EMM Feature Data is left on an external device (accidentally or intentionally), such as in a library or hotel business center Data intercepted or modified during transmission Contamination of systems by a virus introduced from an external device used to transmit ephi Prohibit or prevent download of ephi onto remote systems or devices without an operational justification Ensure that the workforce is appropriately trained on policies that require users to search for and delete any files intentionally or unintentionally saved to an external device Minimize use of browser-cached data in web-based applications that manage ephi, particularly those accessed remotely Prohibit transmission of ephi via open networks, such as the Internet, where appropriate Prohibit the use of offsite devices or wireless access points for non-secure access to email Use more secure connections for email via SSL, and then use the message-level standards such as S/MIME, SET, PEM, PGP, and others Implement and mandate appropriately strong encryption solutions for transmission of ephi Install virus protection software on portable devices that can transmit ephi The McAfee EMM platform ensures that only security-compliant devices have access to ephi McAfee EMM manages the entire device and its services, including email, apps, PKI, WiFi and VPN. This ensures that all ephi is only transmitted over secure OTA connections to the data center. Jailbroken or modified mobile devices disable the native capabilities that protect against this threat. McAfee EMM detects jailbroken mobile devices and prevents them from accessing IT services and corporate data. Sample Security Policy A best-practice security policy is provided in Table 2 to illustrate how IT can implement incremental degrees of security to protect ephi. The sample policy describes what IT administrative capabilities are required to secure mobile devices like the Apple iphone and ipad. In addition, the policy recommends encryption and password data protection for the entire device. This is essential, as Apple mobile devices support a variety of applications and access methods to enable users to access ephi from anywhere. Table 2. Best-Practice Policies to Protect ephi Policy Parameter Administrative Support Functionality General Data Protection Security Policy Administrative password for configuration profiles Data Protection Encryption Wipe method Always on (iphone 3GS) Full device User Authentication Password 4-character PIN, 5 attempts, wipe after failure, idle timer 5 minutes. Resource Control Camera On Application Management Image lock App Store YouTube Web browser Off On On On Network Control VPN WiFi Configure Configure 6

Internet America Europe Asia Portal/Proxy Servers Portal/Proxy Servers Portal/Proxy Servers Enterprise Hubs America Exchange Servers SQL DB Replication Enterprise Hubs Europe Exchange Servers SQL DB Replication Enterprise Hubs Asia Exchange Servers America SQL Servers Europe SQL Servers Asia SQL Servers Figure 1. Example of a large-scale deployment. Large-Scale Implementations McAfee EMM can be deployed in a highly scalable environment that spans a large hospital system. Figure 1 shows a configuration that geographically may not match the typical hospital system, but it does illustrate how an organization can deploy McAfee EMM to support a regional healthcare system. In this approach, each domain s EMM proxy enforces HIPAA compliance locally, while control of the overall system and management of mobile devices is done from a centralized web-based console. Policies are stored in a SQL database that is replicated among regions to keep all regions in sync. Active Directory can be regionalized, or a single directory can be used to manage all domains. McAfee EMM delivers seamless integration with the enterprise s Active Directory infrastructure and simplifies user management, enabling the use of group-based policies for operational tasks (such as device activation) and administrative role-based access control to the management console. Conclusion Today s mobile devices like the Apple iphone and ipad are much more powerful than PCs were just a few years ago, and they are a common way of accessing and storing ephi. With robust auditing for HIPAA Security compliance, IT can no longer ignore these devices in their organization. The McAfee EMM solution provides healthcare IT with a simple platform that leverages existing IT infrastructure, training, standards, policies, and services to deliver a more efficient and proven end-to-end environment to secure, manage, and audit their mobile devices. For more information visit www.mcafee.com/ mobilesecurity/emm. About McAfee, Inc. McAfee, Inc., headquartered in Santa Clara, California, is the world s largest dedicated security technology company. McAfee is relentlessly committed to tackling the world s toughest security challenges. The company delivers proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the Internet, browse and shop the web more securely. Backed by an award-winning research team, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. http://www.mcafee.com. McAfee, Inc. 2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com McAfee, the McAfee logo, and McAfee EMM are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2010 McAfee, Inc. 12300wp_emm-hipaa_0910_fnl_ASD 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information