DOC RABE Media - Fotolia
Fairview Health Services has a pressing need to give its workers access to information wherever they are: If the right data doesn't get to the right person instantaneously, someone could die, said Barry Caplin, vice president and chief information security official for the Minneapolis-based nonprofit healthcare organization.
To ensure that instant access, Fairview has about 3,500 mobile devices deployed through the organization, including both enterprise-issued and employee-owned devices of various brands and operating systems. The number is growing, as more of its 22,000 employees go mobile.
At the same time, Fairview must contend with the significant security concerns imposed not only by their own data privacy standards but by regulatory privacy requirements such as HIPAA. But as the organization's CISO, Caplin knows that 100% security doesn't exist.
"The perfect solution would be not to be mobile. But that's not practical," he said.
Governance challenges are growing as more employers adopt processes that allow mobile devices to perform work tasks. Workers no longer use devices to just check emails and their calendars. As devices are used for increasingly complex processes, data becomes more vulnerable to loss. To keep pace, IT and security executives must develop comprehensive mobile security postures and implement stronger technology solutions to face the new governance challenges.
Unfortunately, that's easier said than done. That's because organizations must develop high-level ideas that focus on people and processes first, Caplin said.
"There is a lot in security that's conceptually simple, but the operational, the boots-on-the-ground stuff is very complex," Caplin said. "We can't just slap on a solution because if it doesn't mesh with how people work day to day, then it's not going to work."
Establish appropriate mobile data use
Caplin has taken a multipronged approach to mobile data security at Fairview, where clinicians use tablets to share healthcare information with patients and mobile devices to input clinical data when they visit patients in their homes.
That multipronged approach includes policies that establish appropriate mobile device data use. For example, employees can't share patient information via text because it's unsecured. Employees also receive regular training on these policies.
Caplin uses a virtual interface that keeps the data workers enter onto their computers (whether a desktop or a mobile device) off the actual device. That means, Caplin explained, that if a device gets lost or stolen, there's no data loss for the organization.
He admitted, however, that that approach doesn't work for all his employees, notably the clinicians who provide in-home care. Those clinicians store data on the devices that later gets synced, so Caplin layered in encryption, mobile device management, mobile application management and enterprise mobility management tactics.
Despite the trend toward ubiquitous mobility and the growing IT security concerns that come with it, organizations have been slow to adequately address mobile data security. There are various reasons for the trend: Mobile tech advancements put pressure on organizations to adopt them quickly and often without a full security evaluation. Downloading mobile apps without IT approval is also easy and creates plenty of avenues for data to leak.
Then there's the fact that there has yet to be a major headline-making data breach involving smartphones or tablets.
On the other hand, Zumerle said mobile data security products are maturing as vendors address how to better mesh security measures with user-friendly functionality. Vendors are adding new features such as cloud access security brokers to the market. Organizations are also using advanced IT analytics to detect anomalies in user behavior that could alert them to vulnerabilities.
Modern mobility creates new governance challenges
There are certainly plenty of these potential vulnerabilities, according to Nisha Sharma, managing director of mobility at Accenture Digital. Workers could be using apps with little or no security protection, particularly if they're using apps without any IT review that could introduce malicious code onto their devices. These apps could also be transmitting information on insecure networks.
Then there's the potential for what Sharma called "data leakage," where bits of corporate information flow through devices without any corporate knowledge or oversight. These leaks are often through text, screenshots, photos and even audio recordings. Not only do those types of content generally reside in unsecured areas, but IT departments can't see or track them either, she said.
Getting a grip on how data moves via mobile is a challenge, however, because it's hard to know how to secure data without visibility.
"IT has no idea that the information is out there on the device," said Chris Hazelton, research director for enterprise mobility at 451 Research.
Leading executives are working on that, though.
Larry Biagini, CTO at GE, said about half of the company's 300,000 employees use mobile devices. They use a combination of company- and employee-owned devices, including a mix of tablets, smartphones and smartwatches that run on various operating systems.
"Not unlike everybody else, we do use a mobile device management platform, but that's table stakes. And we don't believe it's the ultimate solution," he said. "We want to understand what devices people have, how they're connecting to our network, what apps they're running, and we want to be able to wipe them remotely."
Biagini said GE runs regular training and employee education to keep workers informed of what they should be doing to keep data secure. The company also uses technologies designed to protect data without hindering users. Biagini pointed to the fact that workers can securely access internal GE apps with a simple authentication and without going through a VPN because GE's systems recognize the device.
"We truly believe that the big piece of the solution we need to provide is an API gateway for all types of applications, so you're not running apps but making requests for services, so we can decide who you are, what device you're on and where you are in the world," he added.
The strategy is a good balance between the value of a mobile workforce and reducing the security risks that stem from it, Biagini said. Is it foolproof? No, but as Biagini noted, nothing is when it comes to data security.
"It's where you put the risk bar, that's what we have to spend a lot of time on," he said. "And if we can get visibility, know what we want to allow based on our risk bar, we get closer to that balance."
What works for mobile data security … and what doesn't
Pulse Secure CEO discusses what's lacking when it comes to mobile security