ONC Plans Mobile Security GuidanceAgency Targets Small, Midsized Healthcare Environments
While the Office of the National Coordinator for Health IT continues work on mobile device security guidance for smaller healthcare organizations, a researcher offers insights on steps these providers can take now to improve security.
"These devices were designed for a consumer market, and many of [them] shouldn't be used right out of the box," says Will Phelps, an IT security specialist at ONC, in an interview with HealthcareInfoSecurity's Marianne Kolbasuk McGee (transcript below).
Mobile devices, such as tablets and smart phones, require additional configuration settings before being used in the workplace environment, he explains. "Providers should become familiar with their devices' security capabilities."
Many of the devices include encryption that becomes enabled by setting a password, Phelps says. "Other devices offer similar features as well," he says. "Most users simply just don't know what options they have available to them."
In the interview, Phelps also discusses:
- ONC's process for developing best practices for smaller provider organizations to securely use mobile devices, such as smart phones, tablets and laptop computers;
- Why many consumer-oriented mobile devices aren't suitable for healthcare settings;
- Why providers need to learn basic data security maneuvers, including how to turn on the encryption that some mobile devices, including iPads.
Before joining ONC last year as senior IT security specialist, Phelps spent more than a decade in other IT security positions within the federal government and commercial sectors. That work included information security positions within the Federal Emergency Management Agency and the National Institutes of Health.
MARIANNE KOLBASUK MCGEE: Tell us a little bit about your organization and your role.
WILL PHELPS: I work for the Office of the Chief Privacy Officer within the Office of the National Coordinator for Health IT, and I'm the senior IT security specialist in this office. I'm charged with the security safeguards around protecting health information.
Top Mobile Device Challenges
MCGEE: What are the top challenges that smaller healthcare providers are having in terms of mobile devices and keeping patient data private and secure, and how do they differ from the challenges that larger healthcare providers face with mobile device security?
PHELPS: Normally small healthcare providers don't have a large IT staff or resources on-site to help them implement these types of technologies. And we've also noticed in our research that mobile devices don't normally ship with security programs like PCs do. And since these devices are not stationary they're also prone to theft or loss. A lot of the times, the small providers don't really understand how to implement the appropriate security controls on these devices.
MCGEE: What has ONC's process been for developing its best practices on this topic for smaller healthcare providers?
PHELPS: Right now, ONC has several projects addressing the use of mobile devices in the healthcare setting. We currently have a project which is called our end-point configuration project. At the end of this project, we will release configuration settings for the small to moderate-size provider on how to configure mobile devices for use in a healthcare setting.
What we did was a field analysis to learn how health information technology is implemented in small to moderate-size practices. Once we finished our survey, we built a lab mirroring the implementations that we found and we installed popular mobile devices - smart phones, tablet computers. We even have some desktops thrown in there, as well as laptops.
Next, we studied the devices and their integrated or built-in capabilities in order to assess what security controls could be manually applied to these devices right out of the box. In phase two, ONC will retest the devices along with newer popular devices, adding the study of mobile device management tools into the equation to apply additional security controls.
MCGEE: Why will these best practices be important for smaller healthcare providers?
PHELPS: Smaller healthcare providers are responsible for maintaining and safeguarding patient health information. They can also exchange information with larger healthcare organizations and potentially introduce risk to sensitive or protected information if their computing environments aren't secure. It's sort of like you're only as strong as your weakest link.
Mobile Device Security Advice
MCGEE: What advice should smaller healthcare providers keep in mind now for mobile device security while ONC continues to develop these formal practices and guidance?
PHELPS: Providers should keep in mind that these devices were designed for a consumer market, and many of these devices shouldn't be used right out of the box in the workplace, and they require additional configuration settings before [they're] used in the healthcare environment. I would say providers should also become familiar with their devices' security capabilities. An example of that would be, from our research we learned that mobile devices, such as the iPad, have [their] own integrated out-of-the-box methods of encryption, and this is something that any user could turn on just by setting a password on the device, which triggers the encryption mechanism built-in. Other devices offer similar features as well. Most users simply just don't know what options they have available to them.
MCGEE: When do you expect the ONC to have its formal guidance on mobile security?
PHELPS: We will be releasing this guidance spring of next year.