funsec mailing list archives
Re: [article] The iPad in the Hospital and Operating Room
From: James Philput <jamesphilput () gmail com>
Date: Fri, 21 Jan 2011 12:50:40 -0500
I'm in a similar situation. We're currently rolling out security policies for tablet devices, and have been getting a lot of push back from the medical staff. The thing that seems to be working here is a combination of policy and education. We're allowing personal iPads to be used if the user agrees to let us install a basic security profile on the device. The standard profile includes the usual wireless, email and VPN settings that we give to other remote users, but it also forces stronger passwords and a shorter idle screen lock. Those settings, coupled with treating all of the iDevice/tablets as untrusted resources, have gone a long way toward making the things less of a security risk. We've been trying to plan for more consumer devices on the network. It takes some effort and a bit more flexibility from a policy and procedure standpoint, but our willingness to work with the non-tech staff on this seems to have gained us a lot of good will. The users are much more willing to listen to why we don't want them to do something rather than just trying to find ways to evade us. Regards, James On Fri, Jan 21, 2011 at 11:25 AM, Shawn Merdinger <shawnmer () gmail com>wrote:
Hi Phester, On Thu, Jan 20, 2011 at 20:50, phester <funsec () armorfirewall com> wrote:Yeah, but it illustrates an universal issue. If users can't do what they want over the network, they'll find a way around it.Exactly. This is great technology and enables medical pros to do more for patients. But it's also worth mentioning that security people can expect a great deal of pushback from medical pros when trying to assign the risk and place limitations on these kind of consumer devices in a medical environment -- and believe me, they can be a tough group of articulate, forceful and powerful people to deal with. As a lowly network security monkey, I can vouch that it's no fun to go head-to-head with with a MD with a Ph.D who brings in millions in grants to the organization and wants to use his fancy iPad or iPhone for medical work. And I would go even further in that the article mentions medical schools like Stanford issuing iPads to incoming med students beginning 2014. So we can expect a entire new group of medical pros who expect support and security with these devices. What's also interesting and a huge, undefined challenge is the blending of these consumer devices into medical devices. With the addition of medical image viewing software on the iPad, that device has now transitioned from a personal learning/entertainment platform to a bona fide medical device, which opens up many more questions in terms of organizational policy, data management/retention, and regulatory requirements (HIPAA/HITECH, etc.). After all, one can jailbreak an iPad by visiting a website, clearly there are risks to PHI on a iPad, no? Further compounding the issue are cloud applications, specifically the growing use of personal cloud services like DropBox. There's a great deal of uncertainty as to the DropBox use with medical information and regulatory requirements. For more than a year on the DropBox forums, folks have been going back and forth as to if this application meets regulatory requirements. But, as you note, people are going to do what they want, and this is reinforced by DropBox making it way into "Top 20 Lists" of apps for medical pros [1] And with medical pros not fully understanding how personal storage cloud apps like DropBox actually work insofar as data retention and flow, we are facing tremendous challenges. "When asked about security concerns with the iPad, especially if one is left behind inadvertently, Dr. Feldman pointed out that as with everything web-based, nothing is stored on the device." [2] From a vendor perspective, there are huge opportunities in this space to provide workable security solutions for these kinds of devices and, as Bruce Schneier writes, the "Consumerization and Corporate IT Security" [3] Bottom line is that we need these solutions to keep the management folks happy with their regulatory compliance goals, and to provide more assurance to network security guys like me who are sweating bullets and worrying in the trenches as we face irate medical pros with serious pull who expect us to not only secure these devices, but also take on the liability risks of data loss.Said hospitals need to find a way to provide function securely. Solutions are out there.You mention there are solutions out there. I welcome further discussion, either off-list or on-list. Cheers, --scm [1] http://www.imedicalapps.com/2010/12/bes-free-iphone-medical-apps-doctors-health-care-professionals/19/ [2] http://www.imedicalapps.com/2010/12/dropbox-osirix-ipad-radiology-images-operating-room/ [3] http://www.schneier.com/blog/archives/2010/09/consumerization.html _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- [article] The iPad in the Hospital and Operating Room Shawn Merdinger (Jan 20)
- Re: [article] The iPad in the Hospital and Operating Room Paul Ferguson (Jan 20)
- Re: [article] The iPad in the Hospital and Operating Room Thomas J. Raef (Jan 20)
- Re: [article] The iPad in the Hospital and Operating Room phester (Jan 20)
- Re: [article] The iPad in the Hospital and Operating Room Shawn Merdinger (Jan 21)
- Re: [article] The iPad in the Hospital and Operating Room James Philput (Jan 21)
- Re: [article] The iPad in the Hospital and Operating Room Shawn Merdinger (Jan 21)
- Re: [article] The iPad in the Hospital and Operating Room James Philput (Jan 24)
- Re: [article] The iPad in the Hospital and Operating Room Shawn Merdinger (Jan 24)
- Re: [article] The iPad in the Hospital and Operating Room Paul Ferguson (Jan 20)