IT Compliance Institute, April 18, 2006:

Trends and Technologies

Case Study: White Lab Coat Security

PDAs with comprehensive, current patient data can help a doctor save a life, but a lack of proper security controls also poses privacy risks. INTEGRIS Health has implemented mobile access restrictions that could also protect critical corporate data.

By Mathew Schwartz

Are PDA-toting doctors a compliance risk?

Watch a medical practitioner at work, and chances are you’ll see a well-used mobile device—likely a smart phone—in tow. Thank a number of medical software applications with PDA tie-ins, which allow doctors to carry in one device their patients’ charts, x-rays, and EKGs; pharmacological databases and patient admittance lists; plus a cell phone.

To maintain compliance with multiple security regulations, however, healthcare organizations want to ensure people’s personal health information doesn’t get into the wrong hands. That’s precisely what drove INTEGRIS Health, which manages 12 hospitals and about 30 clinics throughout Oklahoma, to require better security for any mobile devices synchronizing with its PCs.

Randy Maib, senior IT consultant at INTEGRIS, was in on the effort’s beginnings. “Back in 2002, one of the directors in IT and myself started up our security department,” he notes. One of their first tasks was to work with senior managers to ensure compliance with the new HIPAA and Joint Council on Accreditation of Healthcare Organizations (JCAHO) information management regulations. “Needless to say, there were a number of things we had to do to get us into compliance with the regulations, and one of those things was mobile security,” he says.

Beyond Mobile Passwords

Mobile security, of course, isn’t just a healthcare concern. By 2007, predicts IDC, the market for mobile security software will exceed $1 billion, driven not just by compliance concerns, but also by the emergence of viruses targeting mobile devices, the need to secure increasing numbers of mobile devices with wireless access to the corporate LAN, and a desire to manage the corporate applications running on mobile devices.

But the devices should not be given a free security pass, say IDC analysts Sally Hudson and Stephen Drake. “To gain the full benefits of mobility without incurring substantial risk, organizations must treat mobile devices as a critical and equal component of their existing infrastructure.”

To protect its mobile devices, INTEGRIS wanted authentication controls, strong encryption for data at rest, plus a centralized management console. Yet initially, it could only find software for requiring PINs to access Palms, with no management console. Ultimately, however, it began working with CREDANT Technologies, and in late 2002 INTEGRIS became an early implementer of its Mobile Guardian security software.

The software has three components: an Enterprise Server to centrally manage policies, agent (“Shield”) software that runs on mobile devices and applies the policies, and Gatekeeper software running on PCs, to regulate device synchronization. The first time a mobile device attempts to synchronize, the Agent software gets downloaded, and any future security policy changes are then pushed to devices when they synchronize. If a user doesn’t allow the Agent software to install, the device is not allowed to synchronize.

When devices running the Shield software are powered on, a user needs to enter a PIN, password, question/answer, or some combination of the three. (For the PIN, users gets five chances before the device locks, though there are some built-in self-service password recovery tools.) Then the device decrypts all information and grants access.

Deployment Challenges

Before getting that up and running, however, INTEGRIS faced some initial deployment challenges. “We did an enterprisewide deployment to approximately 4,500 workstations, and we had to back that off after the first go,” notes Maib. The problem was that all of the Gatekeepers on PCs watching for device synchronization tended to contact the Enterprise Server for instructions at the same time, which slowed everything to a crawl. Tweaks ultimately smoothed out the issue. Another glitch was that the Shield software required a PIN before allowing someone to answer an incoming smart phone call, though a later software update fixed that.

Post-rollout, Maib’s first mobile security project was simply to count the number of PDAs being synchronized; there were 68. Today, the mobile security software covers at least 175 PocketPCs, 85 Palm devices, perhaps 150 BlackBerries, plus some tablets and cell phones. About 2,700 PCs (out of 5,000) run the Gatekeeper software. These numbers might increase in the near future. Maib wants to expand Mobile Guardian use to more smart phones. Also, once Mobile Guardian’s encryption capabilities improve—he wants better granularity, for example, to specify not just folders but also file types to encrypt—he anticipates tackling more laptops and desktops.

Overcoming Cultural Barriers

Even while it mastered the technology side of the equation, INTEGRIS faced a much bigger challenge: cultural buy-in. “The hardest challenge we have in healthcare regarding any security measure is the cultural facet, because doctors and nurses want the information as fast as possible, to care for the patient, and if you put anything in their way, it becomes a stick in the side that they can’t stand.”

To overcome such resistance, he began a mobile security education campaign. “We absolutely had to visit just about every single physician,” notes Maib. At physician meetings and weekly medical boards, he made the case for why doctors needed to enter a four-digit PIN to get access to their device.

His pitch: if I give you an ATM card that doesn’t require a PIN to withdraw money, of course someone’s going to eventually steal your card, and your money. “With that kind of analogy, it got across to most of them,” he notes, though “we still have a few older physicians of course who don’t want to have anything to do with touching technology.”

Holistic Mobile Application Security

For the future, Maib has a wish: better mobile application security, perhaps through vendors agreeing on a common mobile application security framework. “If you’ve already got an overlying umbrella solution that already provides you with the security, why not use it for everything?” he asks.

To illustrate necessary features for such a framework, one piece of software he mentions is the MercuryMD application INTEGRIS uses to provide doctors with patient information. The application will also run on handheld devices, and “has its own encryption and security on the device, in addition to what CREDANT provides,” he notes, and includes the ability to proactively erase stored patient information after a set period, then restore it (if necessary) when the device synchronizes. All of that makes compliance sense: attackers can’t recover what’s not there.

Might mobile-application vendors agree on a security framework with similar capabilities? They may have to, as hospitals are already seeing a marked increase in their use of mobile applications for critical-care purposes, such as INTEGRIS emergency room and heart-treatment projects. Already, personnel can “download the EKGs that come off of the ambulance, through a central PC, and send them out to a PDA so they can review it as the ambulance is bringing the patient in,” notes Maib.

For doctors, getting just-in-time, essential information in a useful format is critical for providing holistic care, and this is what mobile applications increasingly enable. “It just seems like every week somebody is coming up with something new that requires a mobile device, whether it be a tablet, laptop, or PDA,” says Maib.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.