December 17, 2012
Bringing Your Own Device…In Health Care
By Michael D. Shaw
The acronym BYOB conjures up—for many—memories of parties that were short on liquid refreshment (since you had to bring your own beer or booze) but usually had more than their share of people ready to have a good time.
Of late, a new sort of “Bring Your Own” has appeared on the scene, as in Bring Your Own Device, popularly known as BYOD. According to a report written by David A. Willis, issued in August by Gartner, Inc., a Stamford, CT based information technology research and advisory company:
BYOD is an alternative strategy that allows employees, business partners and other users to use a personally selected and purchased client device to execute enterprise applications and access data. For most organizations, the program is limited to smart phones and tablets, but the strategy may also be used for PCs. It may or may not include subsidies for equipment or service fees. [E]very business needs a clearly articulated position on BYOD, even if a business chooses not to allow for it. The policy must be easy to understand and follow.
In a press release announcing the report Willis stated:
With the wide range of capabilities brought by mobile devices, and the myriad ways in which business processes are being reinvented as a result, we are entering a time of tremendous change. The market for mobile devices is booming and the basic device used in business compared to those used by consumers is converging. Simultaneously, advances in network performance allow the personal device to be married to powerful software that resides in the cloud.
Willis and other authorities have noted that BYOD programs usually do not reduce costs. Supporting the use of the devices means expenditures in software and infrastructure—and these don’t come cheap.
Then, there’s the matter of security. This column has harped on the burgeoning problem of medical identity theft, which far too often gets plenty of lip service—and little else. As consultant Andrew Barratt expressed a few months ago:
There have been lots of good reasons for not letting people connect whatever they like to the enterprise network. These have not changed, in fact there are more threats to the corporate computing environment than ever before with ever simpler attack vectors. However the BYOD brigade have charged on. What concerns me is not executives signing off risk, that of course is their decision, it’s whether they understand the risk in the first instance.
He imagines a doomsday scenario whereby malware on the brought device is able to detect whether it is connected to the home or business network, and thus operate intelligently based on that determination. As such, when the device is at work, it grabs credentials and downloads data with as much stealth as possible. When back at home, under a less than industrial strength intrusion detection system, the office data is then uploaded to the offender’s server. All of this occurs without the slightest knowledge of the employer, who instituted the BYOD policy.
Although Barratt is not the first to riff on the BYOD acronym—renaming it “Bring Your Own Disaster”—he did write a column with that title. The column ended as follows: “The BYOD culture reminds me of those days in primary schools where the kids all bring in a toy to play with. Everyone is impressed by the cool toys on display, and the older kids get to show off their latest action figures and video games but not a great deal of work gets done by anyone.”
Hard data on health care IT security breaches specifically caused by BYOD is not readily available. However, the appalling security record of the industry before BYOD was an issue does not exactly build confidence.
For sure, the naysayers have spoken, and will continue to speak out. Nonetheless, BYOD—as even they admit—is here to stay.
With any IT security threat come security solutions, and one of the up-and-comers is DME (Dynamic Mobile Exchange), from Excitor A/S, headquartered in Denmark. The company describes DME as “The perfect business solution for working securely with corporate email, calendar, contacts, to-dos, news feeds, HTML5 applications and intranets—all secured within a container on the device, without risk of leaking data to other apps and without the need to install and configure a full VPN. As such, DME would seem ideal for BYOD.
DME consists of three major components…
- An advanced mobile device management system
- A secure applications suite with e-mail, calendar, address book, and documents
- A facility for creating a secure corporate app store
Among other features, the corporate container allows all corporate data on the employee’s device to be deleted remotely when he leaves the company, without affecting any of his personal data.
Perhaps, with BYOD creating thousands of potential IT security holes, the health care industry will finally take this situation seriously. One can only hope.