Friday, April 15, 2016

Securing healthcare? You need an MDM strategy, even for BYOD

Note, that while the title on this blog specifically mentions healthcare, this is applicable to all verticals.  While the referenced reports draw their data from healthcare, the problem of confidential data on mobile devices, whether enterprise owned or  BYOD, is universal.

A new report out from Skycure shows that doctors use their mobile devices to share information about patients - a LOT.  And when mobile devices can and frequently do go missing - that patient data goes missing with them.  If you are securing healthcare today, you need an MDM solution.

In 2015, 70% of doctors reported using mobile devices to manage patient data, many of which are BYOD.  The number of doctors managing patient data with mobile devices is rising every year, and will quickly near 100%.  The problem is getting worse, not better.

Two different recent reports, Skycure and Ponemon, found that a disturbing number of mobile devices are infected with malware.  The Ponemon study found that 3.2% of devices investigated had malware infections.  The Skycure study found that 4.2% of devices had malware.  Based on my experience investigating incidents with Rendition Infosec, I think those numbers are underreported.  But in either case, that's a huge number of malware infested phones processing PHI.

Perhaps the most staggering statistic is that 14% of doctors who store patient data on their devices don't even use a password.  Forget about trying to enforce strict security or complex passcodes when 14% of those who store patient data on their phones.

Everyone in security knows that no amount of policy can fix stupid.  You need technical controls to get compliance (and monitor compliance) from users.  Users should not be permitted to store company sensitive data on mobile devices unless encryption and passcodes are used.  Even then, phones should be monitored for malware infections.  Remote wipe should be enabled because users will lose devices.

Many clients we've worked with at Rendition Infosec initially discount the need for MDM based on a low reported occurrence of lost mobile devices.  But for one client who had months of wifi logs, we were able to identify a large number of users who had replaced phones over the previous 90 days.  The client talked with the users, many of whom confirmed that they were replacing lost devices.  Almost none of them had reported the previous losses to IT.

Bottom line, you need BYOD if for nothing else than auditing and accountability (and the all important remote wipe).  If you have questions about deploying an MDM or need help managing one, contact Rendition Infosec and we'll be happy to get you sorted and on your way.

1 comment:

  1. Using Kaspersky security for a number of years, and I would recommend this Anti virus to all you.


Note: Only a member of this blog may post a comment.