4. LANDesk White Paper | Mobile Device Management for Healthcare
Introduction Daunting Challenges for Healthcare IT
Mobile devices have taken off in healthcare organizations, Mobile devices and platforms represent significant challenges
where doctors and other medical staff use smart phones and for healthcare IT, however. Regulations such as HIPAA
tablets to access everything from email to health reference and HITECH require healthcare organizations to take
materials, electronic health records, medical imaging, and responsibility for managing, securing, and protecting
patient survey applications. Mobile devices perform a host of confidential patient information and for reporting any
medical, technical, and administrative functions, including breaches that take place. The consequences of a breach can be
communicating medical information to patients and families. immense, including steep fines and devastating publicity, not
Thanks to the freedom and fast information access enabled by to mention the significant costs incurred in understanding
wireless communications, tablets have even begun to replace what was breached, who saw the data, risks, and remediation.
patient workstations for accessing and entering patient care
Unfortunately, without the right kind of guidance and
information in IT healthcare applications.
management, personal mobile devices can cause absolute
A recent survey by Manhattan Research found that 75 chaos when it comes to confidentiality. Challenges include:
percent of American physicians own some kind of Apple
Asset Lifecycle Management—When users feel free to bring
mobile device and 81 percent use some kind of smart
their own devices to work, it can be difficult or sometimes
phone—Apple or non-Apple—up from 72 percent the
impossible to discover, track, and secure them against the
previous year.1 Thirty percent of doctors use iPads to access
constantly changing threat landscape.
EHRs (electronic health records), view radiology images, and
communicate with patients. An additional 28 percent plan User Management—IT can’t depend on doctors and staff to
to buy an iPad within the next six months, according to use their devices wisely, as many are ignorant of device security,
the report. Other studies have found similar results among privacy, and compliance risks, not to mention how to protect
nurses and other healthcare employees and have linked use of mobile devices and the information stored on them from
mobile devices with job satisfaction. hackers and theft.
The benefits of mobile devices in healthcare are significant. Many unwittingly store confidential information on their
Healthcare professionals can collaborate and access tablets or smart phones without any encryption or other
information wherever and whenever the need arises, rather form of protection, or use them to send and receive email
than having to wait to get to a conference room desk phone, and file attachments containing sensitive information. Others
PC, workstation, or file cabinet. The result is faster, often use file sharing applications such as DropBox to store and
better decisions and more efficient patient care. transmit information or unsecured personal email services
that lie outside of the institution’s messaging and security
As with business enterprises, healthcare institutions are
infrastructure. Users may also take advantage of unsecured
undergoing the consumerization of IT. Rather than looking
wireless WiFi connections in coffee shops, hotels, and other
to IT for mobile devices and connectivity, healthcare
environments to transmit information, not knowing that
professionals increasingly take their personal iPhones, iPads,
hackers regularly frequent these establishments to penetrate
and other mobile devices to work and expect to be able to
the devices of unwitting users.
use them freely in the medical care environment. Corporate-
procured Blackberry smart phones and even workstations, Other hazards are caused by users unknowingly downloading
laptops, and desktops are giving way to user-owned iPhones malware-laden mobile applications, accessing infected Web
and iPads. With more and more medical schools integrating sites, or using text messaging in ways that introduce malware
mobile devices into the curriculum as well, it’s likely that into their devices or open doors for hackers to penetrate
mobile device use in healthcare environments will continue to devices, networks, and centralized data stores.
grow and job choice and satisfaction among younger health
professionals will increasingly be tied partially to the use of the Device Loss and Theft—Mobile device loss and theft,
latest mobile technology. including those involving laptops, are the single greatest cause
of data breaches at large healthcare organizations, far more
common than hacking incidents.
1 Taking the Pulse U.S. Annual Market Research Study v11.0, Manhattan Research, May 4, 2011
4 www.landesk.com
5. LANDesk White Paper | Mobile Device Management for Healthcare
Platform Complexity—While servers, PCs, and laptops Know your data—What healthcare information must have
run on a few longstanding, seasoned operating systems maximum protection? Where is it stored, and how is it
familiar to IT, mobile devices run on a variety of newer, accessed? What data needs a medium level of protection? Who
less seasoned operating systems, including iOS and should have access to this data and who should not?
Android. The newness and openness of Android represents
Know your infrastructure and its vulnerabilities—How
a particularly thorny security problem for IT, with Android
does the organization protect confidential information today?
devices under increasing attack in the past several months.
Where are the unique vulnerabilities posed by mobile devices
The Solution: Discover, Extend, Secure and which of these are the most hazardous?
and Empower Know the risks—What are the overall and unique security
Unfortunately, simply forbidding or severely restricting mobile risks of each mobile device platform? What are the risks of
or personal devices in the work place is not an option for patient information breaches caused by storing user data on
healthcare institutions if they seek to hire and retain younger, mobile devices, or by using personal email, public WiFi, or
tech-savvy doctors and medical personnel or compete with personal applications? What are the likely threats to your
their more technologically advanced cohorts. Not to mention organization’s mobile devices and confidential information?
that many employees are likely to bring in their mobile devices If a breach were to happen, what would the likely costs be to
anyway and use them as they wish. Simply forbidding these the organization? It’s important to factor in less tangible yet
devices makes it impossible to manage and secure them–and genuine costs such as damage to the institution’s reputation or
the information they contain. remediation costs of a breach.
Instead, the solution for most healthcare organizations today is Policy, Tools, and Education
to embrace their employees’ mobile devices and platforms and
Once IT has a handle on the use and risks of mobile platforms
use the right combination of policy education and effective
in the organization, the next step is to craft a strategy for
tools to manage, secure, and protect confidential information.
mobile platform security and data protection.
In order to do so, IT needs to accomplish several tasks:
Sometimes the best way to craft a strategy that balances the
Know what you have—First, IT must have a clear picture of mobile needs of employees with the compliance, security, and
what mobile devices and mobile device platforms are used by data privacy needs of the organization is to form a mobile
employees. This can be a difficult task when workers bring in security strategy task force that includes representatives from
personal devices for both work and personal use. Most likely IT, affected departments, and legal counsel.
IT will need to meet with each department in the organization
Most effective mobile device security strategies consist of a
to get a feel for what devices are being used. It’s important to
combination of policy, education, and tools.
strike a positive attitude that lets users know that the goal is
to embrace, empower, and secure mobile devices, not restrict Policy
them or punish their users.
Your mobile security policy should integrate with your overall
Know how mobile devices are used—Are employees using organizational security strategy. Organizations should already
their mobile devices to access organization email, electronic have policies in place that spell out which employees and
medical records, private patient information, patient surveys? employee roles are permitted access to which categories of
Are they accessing personal email services, social networks, information and what they are allowed to do with it, including
potentially insecure Web sites? Are they storing patient emailing or sharing it digitally in other ways.
information on their devices? Are they downloading consumer Your mobile security policy should add policies that spell out:
applications? Do they have any awareness of the need for and
Which mobile platforms, such as laptops, tablets, and
ways to protect confidential patient information on these
smart phones, and which operating systems, such as iOS
devices? Are they using public WiFi services?
and Android, are permitted in the healthcare environment
and who is permitted to use them.
www.landesk.com 5
6. LANDesk White Paper | Mobile Device Management for Healthcare
Requirements for users to register their mobile devices of device loss and theft, data leakage, and malware, as well as the
with IT. data security and privacy requirements and related penalties of
What information if any can be stored on employees’ HIPAA, HITECH, and any other relevant regulations.
mobile devices and what protections such as passwords, It’s important to demonstrate in a tangible way just
encryption, VPNs, backup, etc. need to be implemented how damaging breaches can be by relating stories about
to protect this information. organizations that have been breached and the actual
Rules for accessing the Web over mobile devices and devastating financial and other impacts of those breaches.
downloading and using health and non-health related Keep users aware of breaches that make the news. Make sure
applications. Some organizations may want to publish a you repeat education on an ongoing basis and educate new
list of approved and unacceptable mobile applications or employees and mobile platform users as soon as possible.
even provide their own organization app store where users
Users must also be educated at least annually about
can download new applications.
your organization’s mobile security policies and the user
Users should also be put on notice to: responsibilities spelled out by them, as well as any penalties that
Always keep mobile devices within their sight. can result from disobeying security policies. If you don’t want
users simply tuning out and doing as they please, make sure you
Report device loss or theft to appropriate staff balance this education with a positive attitude that recognizes
immediately. Mobile device users are known to spend users’ needs and the obvious benefits of mobile platforms.
hours or even days trying to locate missing devices before
reporting their loss. Mobile Device Management Tools
Never share their devices or device passwords with Policies must not only be spelled out, they must be enforced.
anyone else. Unfortunately, users tend to do things for the sake of
Never connect to the corporate network or transmit convenience that run counter to your organization’s security
healthcare information of any type over insecure WiFi policies. That’s why it’s important to put the appropriate tools
networks without using virtual private networking or in place to enforce company policies and to discover, manage,
other tools that secure data in transit. and secure mobile platforms.
Never transmit sensitive information over unsecured The first line of defense in any environment incorporating
personal email or data sharing services, either in the form mobile devices and platforms is an enterprise mobile device
of text, attachments, or information cut and pasted from management (MDM) solution. MDM systems provide a
sensitive documents. host of tools for identifying, managing, and securing mobile
Keep Bluetooth out of discovery mode when not in use. platforms of all types and their users. Some of the features of
an effective mobile device management platform include:
Understand that jailbroken smart phones or tablets will
never be allowed in the organization. Discovery—The ability to discover all mobile devices and
IT should also have policies for locating and wiping lost or platforms that connect to the corporate network and create
stolen mobile devices and protecting mobile devices from a device inventory database that can be used to manage these
malware. As with any other IT assets, policies should be in place platforms over their entire lifecycle. The application should
for addressing security when employees leave the organization. not permit users to connect their devices to the network
or messaging systems until they are approved and properly
Education registered with the MDM system. The MDM system should
Policy is not very useful if it’s not backed up with an effective be able to easily grandfather existing platforms as well.
employee education program. Mobile device users must be Extended Hardware and Software Inventory—including
educated in depth about the security challenges posed by mobile memory, batteries, installed applications, policies, and
devices in the work environment and proper measures they network information.
must take to address them. They should understand the hazards
6 www.landesk.com
7. LANDesk White Paper | Mobile Device Management for Healthcare
Mobile Platform Diversity—The best mobile device Remote Notification—that can alert all device users to the
management systems cover all the most popular mobile availability of new resources and any required user actions
platforms and operating systems, including Blackberry, Apple, through its own application portal.
and Android tablets and smart phones, and can take advantage
Jailbreak and Rooting Detection—The ability to detect
of each mobile platform’s native OS policies, security features,
jailbroken or rooted mobile devices to determine if the device
and other capabilities.
is compliant, if any action should be taken, or any policies
Easy Self Enrollment—Users are able to enroll with the should be invoked.
network directory, such as Active Directory, and the MDM
A Controlled Browser—for launching links and limiting sites
system themselves after which the system configures the user
users can access based on corporate policy and security and
and device and implements appropriate security policies
compliance requirements.
automatically. Some MDM systems provide access to a
company app store, similar to Apple’s app store, where users Encryption—of any sensitive information in transit and at rest.
can download a management agent and other approved
applications and enroll without the help of IT. LANDesk Advantages
Zero-Touch Management—The ability to execute Several MDM solutions are available on the market today,
each with its own set of features and capabilities. LANDesk®
management functions, including software distribution, WiFi
Mobility Manager stands out as a market-leading solution
and messaging configuration, and administrator updates across
from a software vendor that can boast 25 years of stability,
mobile platforms from a central console, without any need for
experience, and IT systems management expertise controlling
physical access to the devices themselves.
and managing desktops and laptops—and more recently the
Workforce Segmentation—based on user roles, multiple mobile devices users increasingly carry.
responsibilities, and corporate policies, with appropriate
LANDesk Mobility Manager offers the best of both worlds—
control of access to corporate information, content, and
the ability to apply discovery, inventory, security, and
applications based on these roles. This MDM solutions
management capabilities to mobile devices from a single,
element helps organizations implement a solution that is not a
easy-to-use console, while enabling IT to offer self-service
one-size-fits-all model, allowing effective segmentation based
options to users within the LANDesk application portal.
on the role of the end user within your organization.
This portal serves as a repository for apps, files, videos, and
Self Service Application and Content Portal—Some other corporate resources that your users can access without
MDM platforms offer secure corporate portals that enable submitting to, or resorting to the horizontal app stores
employees to access approved and in-house applications, as such as iTunes and Android Marketplace. This capability
well as files, videos, and other safe information and resources is essential to controlling and securing applications in a
the organization desires to make available to mobile users. healthcare environment.
In environments that require the absolute highest level of
Organizations can use the same LANDesk console and
confidentiality, it’s useful for the MDM system to have
database to manage smart phones and tablets that they use
the option of streaming all content to each device so that
to manage desktops and laptops. This level of integration
confidential information is never stored there and susceptible
translates into significant total-cost-of-ownership advantages.
to theft or loss.
According to IDC, the use of LANDesk as a comprehensive
Phone Location—The ability to track and report device hardware and end-user management system can save more
locations and provide a location history that can be useful in than $23,000 per 100 users per year.2
tracing the device in case of loss or theft.
There’s no need for IT to develop a relationship with another
Remote Lock, Password Reset, and Wipe—The ability management vendor and provide the requisite training and
to automatically lock a lost or stolen device remotely and resources for an entirely new platform, with its own unique
eliminate any sensitive information stored on it. issues and quirks.
2 Gaining Business Value and ROI with LANDesk Software: Automated Change and Configuration
Management, IDC, January 2011
www.landesk.com 7
8. LANDesk White Paper | Mobile Device Management for Healthcare
As shown below, LANDesk Mobility Manager simply installs
on top of a LANDesk Management Suite 9 core server, plus
the addition of the cloud-facing components in the DMZ and
the LANDesk mobile device management server. The same,
familiar console is used to manage the new devices.
Conclusion
Mobile device platforms in medical environments are here to
stay given the advantages for patient care that are impossible
to ignore. At the same time, patient privacy and confidentiality
requirements of HIPAA, HITECH, and other regulations
present significant challenges to the use of mobile platforms
in a secure fashion that protects patient confidentiality and
ensures compliance.
Mobile Device Management platforms provide one of the
principal ways to meet these challenges while empowering
healthcare employees with all the convenience and patient care
advantages today’s mobile platforms offer. With LANDesk,
the user is the endpoint, not the device. A user-centered,
policy-based approach is more logical and far less cumbersome
than a device-centered approach in today’s typical work
environments where each user connects to the network with
multiple devices.
LANDesk Mobility Manager provides a full-featured,
integrated mobile platform management solution. Healthcare
institutions can manage and secure all their users’ desktops,
laptops, and mobile devices effectively for the lowest possible
capital and operating costs.
8 www.landesk.com