Contributed by Carl Cresswell, CTO at Clinithink on consumer technology in the healthcare enterprise
In recent years, the technology landscape has been dominated by innovations aimed at consumers. Instant Messaging (IM), Voice Over IP (VOIP), smartphones and social networking have become universally available and transformed the way many of us communicate with friends, family and even colleagues. The result is a growing expectation among the “tech savvy” that such technology is not only available to them within the corporate setting but that it is actively used to support and conduct business.
My family and I are prolific users of technology and I often find myself using the expertise I have built up over a lengthy corporate IT career to help make effective decisions about the use or acquisition of such technology. With this split personality the fun side of me gets to test out the great new features or play games on new devices whilst the serious and practical side of me is asking questions like “how secure is this product?, does it expose my family to dangerous content?” and above all: “Is my data safe?”
This expectation represents significant challenges to CIOs across the business world but for the Healthcare CIO, a number of additional, unique challenges exist. Privacy and confidentiality requirements, such as the HIPAA Security Rule (US Department of Health & Human Services, 2003), place specific constraints on Healthcare CIOs which can indirectly prevent or restrict the use of such technology in the Healthcare enterprise. For example, the protection of electronic personally identifiable healthcare information (e-PHI) requires an organization to “implement hardware, software and/or procedural mechanisms to record and examine access and other activity”. The implication of this kind of constraint, which is entirely right and proper, is that a level of governance over the entire information lifecycle is required. In other words, if “unknown” devices are used within the network, you do not necessarily have a way of maintaining an audit.
As a result, Healthcare CIOs often resort to measures which many view as “Orwellian” or even draconian: many employees might use equipment or services successfully for a period of time before IT finds out and implements measures to disable it within the organization. A game of “cat and mouse” ensues with users finding new and increasingly innovative ways of accessing technology while the IT team attempts to control its use.
The one size fits all approach to Information Security does not exist and never more so with the speed and prevalence of consumer technology adoption within the Healthcare enterprise. Whilst the IT department battle constantly against the vast array of threats to Information Security, an ever baffling array of new devices and technologies are connecting to the corporate network, each of which present its own risks. Half of the most significant data breaches in 2011 occurred in healthcare (Privacy Rights Clearinghouse, 2011) and yet the healthcare industry is embracing these devices faster than a number of other sectors. Does that represent a recipe for further increases in the number of breaches in 2012?
Each organization must develop its own security measures to meet regulatory compliance whilst at the same time balancing their specific needs for productivity, efficiency and response to change. While the technical debate rages on about which approaches or technologies balance these tensions most effectively, the reality is that diligence and education are the main factors which will contribute most to reducing security breaches or its impact.
CarrierIQ (Wikipedia, 2012) hit headlines recently for being buried in the core software at manufacturing time of a number of widely available smartphone handsets. Few people were really aware of what it was, what it actually did or indeed what it might have been capable of and the vendors themselves remained quite tight lipped. Researchers discovered that CarrierIQ was able to send some of your data off the device to other organizations without having had explicit permission from the user. This is just one example of an increasing trend in new software or services being made available which store some of your information on other systems without you necessarily being aware of it or what the security or privacy implications are for that data.
However, evidence (Good Technology, 2011) suggests that organizations are often embracing consumerization as a direct result of intervention when a senior executive finds their device cannot be used on the network. The individual is most often focused on productivity when they make technology choices but the organization has to consider many other factors when making its decisions, not least of which is the impact on the availability, reliability and security of the organization’s information systems. Perhaps the organization would make a compromise on one of these areas intentionally in order to accommodate the productivity needs of the executive but increasingly additional infrastructure technology is also being deployed in order to facilitate the change.
When a user chooses a particular smartphone or tablet device they will nearly always focus on the productivity gains they expect to get, the desirability of the device in question and perhaps the form factor but they are unlikely to have any awareness of what their choice means in terms of the impact on their privacy or security.
When we think about the evolution of the modern PC environment, particularly in the Enterprise, we have reached a state where malware in all its forms can be well controlled by corporate IT departments. The reasons for this ability are two-fold: firstly, the market has matured substantially and many vendors have introduced solutions to help. Management systems, firewalls and anti-virus software are just some of the many and varied examples introduced throughout the history of the PC. Secondly, is that users have become fairly well educated in how to behave to ensure they don’t become exposed.
In the domestic environment by contrast, I’m often asked by friends or relatives to help them fix their slow home PC or laptop. Inevitably I find that their anti-virus software is out of date, disabled or has been removed, illustrating how much users of consumer technology assume that all of these things are automatically taken care of for them. This combination of an “it just works” attitude to new and emerging devices coupled with the immaturity of the technology itself is probably going to result in a very significant breach in the not too distant future.
The vendors of the technologies themselves aren’t resting easy either, often reacting to fix a newly identified problem within hours, creating ever more ingenious ways to protect their devices and by implication their reputations. But it doesn’t follow that just because a vendor releases a new software patch or piece of advice that the consumer user has applied it to their particular device. The user would therefore still be exposed for months or sometimes years at a time and we only need to look at some of the Internet worms of the past to get an illustration of the impact of failing to patch systems. So what can I do as a consumer to protect myself?
- Think about the implications of “clever” features on some devices. These kinds of features are often sending data off your device to be processed on other systems so make sure that is what you intended.
- Favor devices or technologies that support encryption of your data. If you store sensitive data on your smartphone or tablet and it isn’t encrypted someone else can have access to all that data within minutes if you leave your smartphone lying around.
- Ensure you identify the kinds of device lock features available on any devices are both available and used.
- Think “outside” the PC when considering security software or services that you use – a service like OpenDNS helps you block access to Malware without any special software needing to be on the device.
- Review privacy policies of services you use to help you understand how your data will be used by the service – free services will often use your data to help target you in marketing campaigns which you need to be comfortable with.
- Be diligent, use proper passwords on services and maybe think about using a password management system. You might think your Facebook password wasn’t all that important when you first created it but these days that password can now be used to provide access to a number of other services.
- Above all, stay educated.
If you are a CIO on the other hand, what can you do to mitigate the extra risks associated to these emerging technologies?
- Get close to your users to understand the value proposition to them for a particular device or technology.
- Maintain awareness of emerging technologies and the associated impact on your IT infrastructure and policies.
- Focus on communications both with respect to risks and issues but equally on best practices.
- Identify the key “tech savvy” users in your organization and build trust; they will spread your message rather than telling everyone how to get round the security controls.
Whilst the vendors and researchers will pursue ever more ingenious solutions to the problems associated with consumer technology in the enterprise, one of the most important aspects to maintaining a secure and reliable IT infrastructure is knowledge and education. As users and consumers we should sufficiently empower ourselves to understand the implications of the technology choices we make and consider all of the factors, not which gadget is the trendiest. As professionals in the IT industry we should be ensuring that technologies we build have not only incorporated security and privacy principals into the design from the outset but that security and privacy is transparent, risks are effectively communicated and best practices are made easy to adopt.
About Carl Cresswell:
Carl Cresswell is a software specialist with 14 years experience in commercial software products and solution delivery. For the last 12 years, Carl has led development and architecture teams in the healthcare sector at ITS Wales, InHealth Solutions, Torex and iSOFT. Recognised as an industry expert in enterprise healthcare systems design and implementation. Carl joined Clinithink in 2009 as Chief Technology Officer. Carl now leads Clinthink’s technology innovation strategy and ensures that the company delivers secure, reliable, robust and commercially attractive solutions to the market.