BYOD Policy: An Essential Security StepFormer Presidential Adviser Addresses Mobile Issues
It's impractical for organizations to ban staff members from using personally owned devices for work or to avoid having a formal bring-your-own-device policy, says Peter Swire, an Ohio State University law professor and former presidential adviser on privacy issues.
"A lot of organizations have tried to stop BYOD; users just work around that," Swire says in an interview with Information Security Media Group (transcript below).
"If you try to just say 'no,' a lot of people have found out that the CEO says 'yes,'" Swire says about mixed messages that occur when there is no clear policy on BYOD. When developing a policy, it's important to consider who the stakeholders are and what they need to do to get their jobs done, he says. "That may make it a little more difficult for the security people, but being good listeners to what has to happen for people to get their jobs done is an important step," he says.
In the interview, Swire also notes that medical devices "could be a back door into your network." Even devices that aren't web-enabled need to be monitored for security vulnerabilities, he stresses.
"A lot of the devices in the sensor-everywhere universe we're moving to don't have very good security built in; they often have default passwords set that are easy to guess," he says. "We will have to move up the learning curve, like we have for smart phones and before that laptops and PCs. We need to treat [medical devices] as the security flaws that they are."
In the interview, Swire also discusses:
- Why healthcare organizations often fail to use encryption;
- The important role that "sandboxing" - partitioning data on mobile devices - can play in security;
- Security challenges of smaller healthcare providers.
Swire is a William O'Neill Professor of Law at the Moritz College of Law of the Ohio State University. He is also a senior fellow with the Future of Privacy Forum and the Center for American Progress and policy fellow with the Center for Democracy and Technology. Swire was recently named to co-chair the Do Not Track standards process of the World Wide Web Consortium. From 2009 to 2010, he was special assistant to the president for economic policy, serving on the National Economic Council. From 1999 to early 2001, Swire served as the Clinton Administration's chief counselor for privacy in the U.S. Office of Management and Budget. He was recently named to the advisory board of Enlocked, a provider of secure e-mail services.
Lack of Encryption on Mobile Devices
MARIANNE MCGEE: The culprit in the majority of large health data breaches has been stolen or lost unencrypted computing devices. Why does this keep happening?
PETER SWIRE: One problem is BYOD. People bring their own devices. They try to find ways to get access using a thumb drive or whatever it is, or download things ... and then their own device doesn't really have security on it. The lack of security on the users' device is a big harm.
A second harm is that smaller organizations don't really have a very good tech infrastructure sometimes for supporting encryption. You have to manage keys effectively, and if you're managing keys for a user's device and you lose the keys, the device turns into a brick. "Brickafication" is a big worry for people if they over-encrypt and they're not absolutely sure they can manage the keys.
Stepping up Security
MCGEE: Besides using encryption, what else should healthcare organizations be doing to step up their mobile device security?
SWIRE: ... One thing that's now available increasingly is to be able to sandbox the work information from the personal information. This is familiar to people who have done this on laptops for a long time. You can have a secure encrypted access limited to part of your device and then you have the other part of the device that can go surf the Internet and figure out what time the kid's soccer game is.
What has really happened in the last few years is more of the mobile devices have this kind of sandboxing available so you can really separate and then partition, whether it's a separate virtual machine or in other ways, and you can have a lot more security for the part of the device that handles that protected health information.
Developing BYOD Policies
MCGEE: As you mentioned earlier, bring-your-own-device environments often are involved when there's a breach. What tips should healthcare organizations consider in developing policies that allow or not allow employees or others to use their own personally owned mobile devices for work?
SWIRE: A lot of organizations have tried to stop BYOD, and users just work around it. Increasingly, even in quite secure environments ... people are finding ways that they can build good security into the person's device. That's the frustration to the tech managers. It's similar to the frustration the tech managers had years ago when PCs became common. The user gets more control. The user is doing the settings. What you really should be trying to do is have things partitioned and sandboxed, trying to figure out in the mobile device realistically how you can minimize any problems if this device is lost or some mistake happens.
MCGEE: In developing a policy for bring-your-own-device, are there any do's and don'ts that you would suggest to healthcare providers?
SWIRE: I'd say that if you try to just say, "no," a lot of people have found out that the CEO says "yes." As you're doing the policies, it's really a requirements engineering situation: Who are the stakeholders and what do they need to do to get their job done? That might make it a little harder on the security people. But being good listeners to what has to happen [for people] to get their jobs done is an important step.
Medical Device Risks
MCGEE: In addition to computing devices, mobile medical devices that are involved in patient care are also vulnerable to cybersecurity risks, such as hacking and malware. Any advice on what healthcare organizations should do to address those risks?
SWIRE: Increasingly, the things you never thought of before have chips in them. Refrigerators have chips in them. The carts to move people around in the hospital have RFID chips, chips for location finding. I think that if you have responsibility around devices, one thing to understand is what's networked. The stuff that's networked could turn out to be a back door into your network. Even for the things that aren't networked, a lot of the devices in the sensor-everywhere universe we're moving to don't have very good security built in. They often have default passwords set that are easy to guess. We're going to have to move up the learning curve for these kinds of devices the way we have for smart phones and the way we did before that for PCs and laptops - having basic security in place, having passwords and having inventories of devices. All of these things are basically learning to treat ... potential security flaws.
MCGEE: Any other tips that healthcare providers need to consider in terms of stepping up mobile device security when it comes to ID management?
SWIRE: I think one part of it is to have encryption in different settings that maybe haven't been implemented yet. For instance, mobile e-mail is something we're doing within Enlocked, a company I've become an adviser to recently, and it's really designed very much for smaller and medium-sized healthcare providers so you can have e-mail encryption in a very manageable way without having to have a huge IT department.
Sandboxing Mobile Devices
MCGEE: Finally, are there any promising security technologies or best practices for mobile devices that you think healthcare and other organizations should be paying more attention to?
SWIRE: I was recently at a meeting where people were talking about this, and the idea of partitioning and sandboxing to me is something that was not done a few years ago. People are right in the period now where they're starting to do it more effectively. It's a little bit like making sure VPNs are the way people get into the network. We have to have secure parts of mobile devices because it's going to be very hard to put security around the games and the other apps that are there. It's going to be very hard to white list all the apps. Finding ways to separate the work [data] from the rest of the phone is an increasing priority.
MCGEE: When it comes to the sandboxing, is that something that the mobile device makers themselves need to address or is this something that users of these devices can do?
SWIRE: The different operating systems vary in how easy it is. I've been told recently by somebody in the tech side that Apple and Microsoft phones are relatively strong on this, and that Android, because of the diversity in the ecosystem, is harder to manage in some instances. ... You have to be good shoppers about whether it's going to meet the high security standards that apply in the healthcare realm.