In this interview/podcast, HIT Consultant speaks with Tom Murphy, Chief Marketing Officer at Bradford Networks about BYOD (Bring Your Own Device) in Healthcare. This is part 1 of a two part podcast series. In part 1, Tom discusses the following:
- Background/Overview of Bradford Networks
- What is BYOD?
- Security implications of BYOD in healthcare
- BYOD implementation best practices
LISTEN BELOW OR CLICK HERE TO DOWNLOAD
HIT Consultant: Can you provide an overview of your background and Bradford Networks?
Tom Murphy: My background, initially I started within IT. I came out of the IT realm, built data centers, network and security, mostly in the government space I worked for government contractors that had a high need for secure networks and obviously protecting information. I had a top secret clearance and did a lot of work with NSA for many many years. And then over time, what I’ve done, is transitioned from leveraging that IT background to really becoming more of a solution provider and what I’ve done is worked with many companies in the Northeast, relatively small companies, to establish big presence and market their brand and to communicate to a customer base a compelling message and thought leadership. So that’s my background.
Bradford Networks is a 10-year old company that in a way has been doing BYOD for many many years. The roots of the company come out of education then students bringing their own laptops and devices to school. That’s been going on for years. What recently happened is obviously different types of organizations are onboarding iPads and onboarding smartphones and different devices. Some of them corporate- issued and some of them are employee-owned. What Bradford does is, by providing a platform with the provision of right level access to the network based on who’s connecting, what types of devices are connecting, when they connect and where they connect. So whether it’s wire to wireless or it’s an iPad or a laptop or it’s a doctor or nurse or an administrator person and whether it’s working hours or after-hours using those attributes to provision the right level of access to the right information within a healthcare organization as an example. So that’s my background and that’s the background on Bradford.
HIT Consultant: For those not familiar with BYOD which means Bring Your Own Device in healthcare, can you please provide an overview of that?
Tom Murphy: So Bring Your Own Device (BYOD) as well known for many years whether it’s healthcare or any industry what’s primarily been the device of choice has been primarily been an issued laptop or desktop that the organization has provisioned for the employee and what’s changed is a couple of things. One, is the power of personal power devices and the second is the cost reduction and thirdly, just the number of devices people are trying to retain or own is becoming overwhelming so what’s happened is this consolidation and consumerization of IT where employees have more and more requested and are getting the ability to use their own devices at work. Obviously what comes with that is increased productivity, reduced cost for the organization, but it comes at a price of potential risk and security challenges. So, BYOD will be viewed by many as an enhancement to their day-to-day working environment from the user perspective but from a compliance and/or IT perspective the risk has to managed very very closely.
HIT Consultant: What are some of the security implications of BYOD?
Tom Murphy: So, when an organization allows employees or doctors or even consultants to bring their device, those devices tend to have less management which means that whether their corporate-owned you could ensure patch levels, you could ensure anti-virus, you could ensure the device is a certain type and consistent. The minute you start allowing employees to bring their own devices, the variations kick in and the levels of compliance with your internal policies change. So, the challenges would be, as an example, let’s say go back a few years an initial driver for network access controls, it was around end point compliance and that focus primarily on things like anti-virus updates, registry settings, patch levels to ensure that the machine wasn’t introducing risks to the environment and then over time as consultants came on board, employees started to work more from home, the idea of more of a guest management started to kick in. So when employees brought their own device or started to connect remotely, you see lot of talk about VPN access which was a secure pipe into the organization. But even when you did VPN you wanted to make sure that the devices that were connecting were cleaned and they weren’t carrying key loggers or potentially malicious software. The third wave of network access controls is really more focused on BYOD and consumerzation. And when these devices come in, the challenge is full range from way back to when we first introduced it the act of is it a clean end point? Does it have anti-virus? Does it have anti-spyware? Does it have the right patch levels? You know the registry settings. But now we are even going further to say things like.”Is the device something that we trust?” So, the way we trust the device is looking at who owns the device we look at things like the MAC address. We look at the user on the device and when we look at all these attributes what we are doing is putting every single check that we are making, we are increasing the trust of that device and what are we are trying to eliminate is really two things. It’s the end of all these discussions about attributes is one, we don’t want to information leaving the organization, so we don’t want data leakage onto a device that is potentially lost or stolen or just in the wrong hands. And the second thing is we don’t want unauthorized access into your electronic medical records, we don’t want someone picking up an iPad and using it for the wrong reason. So, the fundamental thing we are trying to protect is data delivery out of the organization and unauthorized access into your organization
HIT Consultant: And what are some of the best practices on combating some of those security implications that you just talked about?
Tom Muphy: Best practices, number one would be to register devices. So, when again looking back at universities as an a example, we have a lot of lessons learned and best practices that come out of the universities. When 30,000 students show up at school, this is really no possible way to stand in line and register the device. So, what we’ve set up is for an example, portals. And the portals are self-registration portals where someone does want to use their own device, they can actually join a network, go to a portal, just like when you go to a hotel before you are allowed internet access, you go to a portal and for example you type in credit card information or room number. Very similar idea to a registration portal when you connect with a device, if the device is something that’s not known by a network, in other words, if it’s your own device, we can force a registration process and what that force registration does is it is no longer an unknown device on the network. It is actually known; because it’s registered the mac address is known, the personnel into the device, maybe the department they’re in, that you can collect all this information. So, the number one thing is registering the device and making sure that is something that is now known to the organization. The second thing is you can depending on the organization’s policy, you can validate a device so it’s low risk so you can ensure that is running anti-virus, its running the latest version of the signature files for example, and what that does is minimizes the device showing the network. The third thing that we would do is dynamically provision access to the right held the right virtual LAN within the network. So when someone joins, let’s say that it’s a doctor they’ve got their own iPad, we would detect the combination of doctor iPad the wireless access point they’re coming into and for example time of day and attributes and we would provision the doctors the right information within the organization. As an another example to counter that, let’s say the doctor takes that iPad and they get onto the guest network in the cafeteria, we can also in a way prevent that doctor from getting on the guest network because we now know that doctor has medical records potentially on their iPad and we want to just limit access to kind of internal safe access to the corporation or to the healthcare facility using that iPad, but we also want to prevent the doctor from going out and scanning generic websites where it is potentially malicious. So, if we come back, number one we are going to set up a guest registration portal to identify every device. Number two, we are going to look at and ensure the device itself is protected with things such as anti-virus and spyware and Number three, we are going to provision the right level of access into the organization based on the risk profile of the device, user time of day, and the connection point. Those would be the three best practices.
HIT Consultant: You briefly touch on this with the second reason, but a recent HIMSS survey stated that only 38% of healthcare organizations have a policy in place that regulates the use of mobile devices, what are some best practices on creating mobile device strategy and/or policy?
Tom Murphy: What we find that organizations, is the first thing they do, is they identify the sensitive information in this case, electronic medical records where those reside within the organization and once they decide they have a handle on the location of that sensitive data, then they segment access to the network. So, segment-access means they virtual LAN and then the virtual LAN is restricted or contained, you can contain access. As mobile devices come on to the network, again coming back to the core, number one is the device clean? What can we do to ensure that the device itself is protected. Number two who is on the device? It isn’t just the device itself and many devices are shared in healthcare. Who’s on the device because based on who’s on the device that is actually is going to dictate what access should be given to that information. The third thing that is coming very important is demonstrable compliance, so whether it’s HIPAA or PCI or any compliance regulation. When you get audited or asked to reveal your policies and your enforcement, organizations have to demonstrate number one, they have a policy and number two they are enforcing it, they can show the laws. So, what we would help to is number one allow people to take a written policy and then put that into something that is automated. Number two, whenever there is an audit or some kind of investigation, they can show that they are capturing every single user coming on, the devices that are coming on, they have an audit trail for when these devices connect or if they get rejected showing that they can actually enforce their policy and there are protecting information that is meant to be protected.
HIT Consultant: How significant is the impact on healthcare quality and business processes for healthcare organizations utilizing BYOD?
Tom Murphy: It really comes down to two fundamental changes, the information for the most part is probably available somewhere. What mobile devices do is it allows, for an example, a doctor who might be trying to explain something very technical or very sophisticated can maybe pull the knife out in front of someone and show them a diagram of arthritis or heart condition something that is easier explain graphically to a patient. The second thing is medical records or some critical information is easily accessible on an iPad right in the emergency room where it historically it may have been a reach or just some latency associated with getting that information because you couldn’t necessarily have a medical device right in front of you during a procedure or some other more complicated situations. So these portable very powerful, very graphical, also the simplicity of the ability to clean an iPad is something that is helpful in healthcare because an iPad may go from one room to another and you can spray it down you or wipe it down, it’s not going to impede performance or the availability of the device. So when we look at these devices it’s about timely access information, it’s about powerful graphical capabilities that help explain details of something that might not be explainable. And also, as simple as it sounds, the cleanability of the device, the ability actually to clean that device, makes it a very powerful, portable, device used again specifically in the healthcare arena.
Part 2 will be posted soon.
About Tom Murphy:
As Chief Marketing Officer, Tom is responsible for the global strategy and execution of Bradford’s marketing efforts. In this role, Tom is focused on extending Bradford’s presence and relevance on the world stage, building and guiding Bradford’s global brand, to further the success of the company’s sales teams and partner ecosystem.
A 25-year veteran of the IT industry, Tom joined Bradford after five years as the chief strategy officer of Bit9, Inc., a security company that specializes in endpoint protection and application whitelisting. During his time at Bit9, Tom was awarded the Massachusetts Technology Leadership Council’s CXO of the Year award, expanded its global customer base from zero to hundreds of enterprise customers, evangelized around the world, and positioned Bit9 as the market leader in application whitelisting. Prior to Bit9, Tom held leadership positions at several highly successful software companies including Symantec/Relicore, BMC Software/BGS Systems and Precise Software Solutions/Veritas Software. While at Precise, Tom established leadership in the Application Performance Management (APM) market culminating with a highly successful IPO.