Lack of built-in security shouldn't inhibit PDA use.This summer, information security gurus from a variety of industry sector gathered to discuss how to solve the growing number of IT security concerns; securing mobile device was high on the list. Unfortunately, some experts believe that the best way to protect your confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead is no to put it on your PDA (Personal Digital Assistant) A handheld computer for managing contacts, appointments and tasks. It typically includes a name and address database, calendar, to-do list and note taker, which are the functions in a personal information manager (see PIM). . Why? Because the devices lack built-in security. While this might work in industries that aren't reliant or constant data access to manage their businesses, it's simply not an option in healthcare. As a former healthcare security administrator, I can tell you that this is the wrong approach, because, inevitably, someone with access to the enterprise will for get that what comes from the net work must stay on the network Further, mobility in healthcare is only now becoming a reality, and institutions beginning to reap the productivity benefits of wireless, technologies would experience significant setback if the data that could be transmitted on handheld devices were so severely restricted Regardless of built-in security levels, doctors should not be forced to avoid transmitting or storing secure information on their handhelds when solutions exist to ensure the safety of both data and device. Does Size Matter? While small and compact, the new generation of handheld devices contains deceptively de·cep·tive·ly adv. In a deceptive or deceiving manner; so as to deceive. Usage Note: When deceptively is used to modify an adjective, the meaning is often unclear. powerful enterprise computing Refers to information technology in the larger company. See enterprise data and enterprise networking. tools. Further, PDAs are subject to the same basic vulnerabilities as other computing platforms See platform. and therefore require enhanced security. However because the handheld operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. is considerably smaller than that of a laptop, it is even more difficult for manufacturers to build in adequate security while maintaining computing power. Mobile computing Using a computing device while in transit. Mobile computing implies wireless transmission, but wireless transmission does not necessarily imply mobile computing. Fixed wireless applications use satellites, radio systems and lasers to transmit between permanent objects such as buildings can be done securely with the right amount of risk management and the right application of security technologies. Securing information on a PDA, like any computing platform needs to be handled with forethought fore·thought n. 1. Deliberation, consideration, or planning beforehand. 2. Preparation or thought for the future. See Synonyms at prudence. . There are a number of good tools available that can provide layers of security to protect sensitive data. Use of personal firewalls, encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. of the data stored on the device and enforced passwords are all good ways to implement solid security protection for mobile computing without avoiding the transmission and storage of sensitive data on handheld devices. The most important factor in securing handheld devices without inhibiting their use or adoption is the development of strong enforced corporate policy. Handheld Security Strategy The healthcare industry is facing a major mobile security challenge: Leverage new wireless technologies to enhance mobility and improve productivity, but ensure that only authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal make it through the front door. Meeting this challenge requires a well-developed security strategy for protecting handheld devices that connect to the enterprise. Before designing a mobile security policy to meet the challenge, organizations should understand that using handheld devices does create a security risk. In fact, within minutes, a user can create an uncontrolled computing platform that can access an organization's proprietary information anytime, anywhere, opening a back door to the enterprise that unauthorized users exploit. What's more, because mobile devices are small and portable, they are easy to lose--potentially putting unprotected, sensitive corporate data into the wrong hands. Additionally, it is critical to identify some key business issues-before setting forth on policy creation--including: * Who should be authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: to use devices? * Which types of devices should be authorized for use? * Will the company provide the devices, or will users be authorized to bring their own devices and use them to access corporate resources? * Which corporate resources will be available to handheld users? * Which information is critical and needs to be protected? * What implications will these decisions have on the organization's ability to ensure legislative policy compliance? Follow Best Practices When developing a mobile security policy in the healthcare arena, it is important to address the following issues: * Supported technologies. This should include mobile device hardware, networking equipment (access points) and wireless applications. * Confidential information. Specify which information is confidential and what can and cannot be stored on a mobile device. * Privately owned hardware. Supporting mobile devices in the corporate environment will require policies that outline how to handle privately owned hardware versus corporate-owned hardware. * Internet access See how to access the Internet. . Using mobile devices to access the Internet and connect to the corporate infrastructure are key areas of concern. This includes allowing users to connect to the corporate infrastructure from a public access point, or connect from within the corporate infrastructure to the rest of the world. The same standard that applies to any other type of mobile user connecting remotely would apply to mobile devices. * Device-level protection. Mobile devices are vulnerable to outside attacks, theft, damage or loss. Accordingly, an organization should implement the same type of security strategy that it would for any other type of computing platform on the network: strong passwords A password that is hard to detect both by humans and by the computer. Two things make a password stronger: (1) a larger number of characters, and (2) mixing numeric digits, upper and lower case letters and special characters ($, #, etc.). See password. , file and directory level encryption, protection from attacks via outside networks, and security for file attributes A file access classification that determines how a file can be viewed or whether it can be edited. File attributes are maintained in the file system's directories, and typical attributes are Read-Only, Hidden, System and Archive. and directory-level settings. A good information security process is implemented in layers, affording the maximum level of protection while still supporting the needs of the mobile work force. Mapping Policy to Business Objectives As with any emerging technology, the uses for and application of handheld devices will evolve with the organization's business needs and capabilities. Administrators in charge of creating and monitoring handheld security policies should revisit re·vis·it tr.v. re·vis·it·ed, re·vis·it·ing, re·vis·its To visit again. n. A second or repeated visit. re established guidelines frequently and adjust the policy based A decision made by any software application that is based on the policy (rules and regulations) of the organization. See policy and COPS. on usage trends, if the institution maintains and enforces timely procedures for handheld security, the organization can effectively minimize security risks and more fully reap the benefits that mobility offers to healthcare professionals and their patients. Tom Goodman is the vice president of operations at Bluefire Security Technologies, Baltimore. Contact him at tom@bluefire security.com |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion