MOBILITY ISSUE IN HEALTHCARE

Digital Security and Mobility in Health

Michael Aboltins Technology Manager, Loop TechnologyGraham Harvey

Security Engineer, McAfee

Agenda

8:45am Digital Security and Mobility in Health

Michael Aboltins, Loop Technology9:15am Networking & Light Breakfast9:30am Technology Demonstration9:55am Wrap-Up & Questions

10:00am Finish

Loop Technology approach to security

Experience in Health

The consumerisation of IT

‘The need to effectively respond to individual demand for use of consumer technologies and

social interaction’ was highlighted as one of the 3 main predictions for 2011 by Gartner.

“Health organisations will need to expand their use of wireless/mobilitywireless/mobilitywireless/mobilitywireless/mobilitysolutions to accommodate an evolving high-performance workplace.” Key Issues for Healthcare Delivery Organisations, 2011, Gartner

2010 IDC Consumerisation of IT in Australia Study, IDC

The wave has hit ….

Use personaldevice forwork

Don't usepersonaldevice forwork

Consumerisation is well underway -

95% of the workers who responded to a recent IDC Australian survey have used technology they purchased themselves for work.

Mobile Computing in our pockets

Market Drivers

• Work/share/play anywhere

• No longer just a phone

• Social networking driving cloud computing

• New services e.g. GPS & Mapping

• Greater productivity

• Lower capex cost

• Benefits of “BYO computing”

Mobility in Health

Aim: Improving patient care

• Increased patient contact

• Increased access to information

• More informed care decisions

• Improved patient safety

• Patients getting better, sooner

• Improved efficiency

• Reducing administrative overheads

• Greater flexibility – both on and off site

• Making clinicians lives easier!

Mobile Computing Applications

Medical professional tools

• Websites e.g. PubMed, Medical Journals & drug information

• Patient monitoring & care tools e.g. iSoft Mobile Patient Management, AirStrip Cardiology

• Health tailored apps e.g. radiology tools

• Medical instruments e.g. Ultrasound & Cardio

Mobile Computing ApplicationsPatient tools

• Diabetes training and information tools

• Drug feedback & reminder tools

• Other monitoring tools

Administration tools

• Timesheet applications

• Leave request & payroll tools

• Medical records and management

• Booking of hospital services

• Outpatient reminders & management

Mobile Computing Risk• Patient privacy risk through loss/theft of data

• Vulnerable to threats - Malware

• Infection of other devices

Mobile Malware Growth by quarter

The number of new mobile malware in 2010 increased by 46% compared with 2009.

Source: McAfee Threats Report, Q4 2010

Mobile Risk – Risk vs Reward

Risk

Functionality

Mobility – Say Yes!

Mobile Risk

Mobile Threats by Hardware and software platform, 2009 - 2010

Source: McAfee Threats Report, Q4 2010

Mobility strategy

Policy

Information Handling policy

Information Handling policy

Acceptable Use Policy

•Personal equipment Policy

Acceptable Use Policy

•Personal equipment Policy

Access management Policy

•Contractor policy

•Home Computing policy

Access management Policy

•Contractor policy

•Home Computing policy

Technical Controls

Central Management

suite

Central Management

suite

Point products

•Anti-virus

•Backup

•Location aware controls

Point products

•Anti-virus

•Backup

•Location aware controls

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Training

User awarenessUser awareness

Technical Security update

training

Technical Security update

training

Product/solution training

Product/solution training

Risk reviews

Mobile computing review

Mobile computing review

Firewall/gateway review

Firewall/gateway review

System/mail server security

review

System/mail server security

review

Vulnerability scan /

Penetration testing

Vulnerability scan /

Penetration testing

Mobility strategy - Policy

• Information Handling

• Acceptable Use

• Access Management

• Incident Handling

• Mobility/ BYO Policy

• Contractor policy

Mobility strategy

Policy

Information Handling policy

Information Handling policy

Acceptable Use Policy

•Personal equipment Policy

Acceptable Use Policy

•Personal equipment Policy

Access management Policy

•Contractor policy

•Home Computing policy

Access management Policy

•Contractor policy

•Home Computing policy

Technical Controls

Central Management

suite

Central Management

suite

Point products

•Anti-virus

•Backup

•Location aware controls

Point products

•Anti-virus

•Backup

•Location aware controls

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Training

User awareness User awareness

Technical Security update

training

Technical Security update

training

Product/solution training

Product/solution training

Risk reviews

Mobile computing review

Mobile computing review

Firewall/gateway review

Firewall/gateway review

System/mail server security

review

System/mail server security

review

Vulnerability scan /

Penetration testing

Vulnerability scan /

Penetration testing

Mobility controls

Policy

Information Handling policy

Information Handling policy

Acceptable Use Policy

•Personal equipment Policy

Acceptable Use Policy

•Personal equipment Policy

Access management Policy

•Contractor policy

•Home Computing policy

Access management Policy

•Contractor policy

•Home Computing policy

Technical Controls

Central Management

suite

Central Management

suite

Point products

•Anti-virus

•Backup

•Location aware controls

Point products

•Anti-virus

•Backup

•Location aware controls

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Training

User awarenessUser awareness

Technical Security update

training

Technical Security update

training

Product/solution training

Product/solution training

Risk reviews

Mobile computing review

Mobile computing review

Firewall/gateway review

Firewall/gateway review

System/mail server security

review

System/mail server security

review

Vulnerability scan /

Penetration testing

Vulnerability scan /

Penetration testing

Mobility strategy

Policy

Information Handling policy

Information Handling policy

Acceptable Use Policy

•Personal equipment Policy

Acceptable Use Policy

•Personal equipment Policy

Access management Policy

•Contractor policy

•Home Computing policy

Access management Policy

•Contractor policy

•Home Computing policy

Technical Controls

Central Management

suite

Central Management

suite

Point products

•Anti-virus

•Backup

•Location aware controls

Point products

•Anti-virus

•Backup

•Location aware controls

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Training

User awarenessUser awareness

Technical Security update

training

Technical Security update

training

Product/solution training

Product/solution training

Risk reviews

Mobile computing review

Mobile computing review

Firewall/gateway review

Firewall/gateway review

System/mail server security

review

System/mail server security

review

Vulnerability scan /

Penetration testing

Vulnerability scan /

Penetration testing

Technical controls to lower risk

iPhone

• Enforce encrypted email

• Prevent jail-broken phones from connecting

• Able to remote wipe

• Reporting tools

All other platforms

• Above plus..

• Anti-virus / anti-malware

• New tools as they become available

Reduce risk with EMM

Risk withoutEMM

Risk withEMMdeployed

Point Point Point Point products products products products AV AV AV AV etcetcetcetc

Networking Break & Light Breakfast9:30am Technology DemonstrationGraham Harvey, Security EngineerMcAfee

McAfee Enterprise Mobility ManagementSecuring Mobile Applications

23

Win 7

& WinMo

Empowering Enterprise Mobility

• Secure

– Manages native security settings

– Enforces device compliance

– Extends the security infrastructure

via ePO

– Integrates with the data center

• Easy

– Simple administration and

reporting via ePO

– User self-service provisioning

– Device personalization for user

productivity

• Scalable

– Scales to 10s of 1,000s of devices

– Supports HA and DR

configurations

Database

Files

Directory

Applications

Certificate Services

Messaging

Enterprise Environment

Symbian

Android

webOS

BlackBerry

iPhone

iPad

McAfee

EMM

23 April 11, 2011

VPN

24

The Right Life Cycle for Mobile Device Management

ePO

Provisioning

Define security policies, network connectivity, and

resources; users self-service provision for automatic

device personalization.

Policy

Management

Compliance

IT Operations

Support

Application

ManagementProvisioning

Security &

AuthenticationePO

Security and Authentication

Enable devices to strongly

authenticate against Microsoft CA.

Supports two-factor authentication.

Policy Management

Remotely perform helpdesk tasks and

push security policies and configuration

updates over-the-air.

Compliance

Automatically check devices prior to

network access.

IT Operations Support

Visualize and manage devices

centrally through McAfee ePO

integration.

Enterprise Application Management

Make apps available in a secure, role-based way.

Offer apps for download, links to third-party app

stores, and web links.

April 11, 201124

25

Self-Service Provisioning for iPhone

April 11, 2011

Easy, Secure, Automated

Go to the

App Store

1 2

Enter Your Email

Credentials

IT Services are Auto-

Provisioned

4

Agree to Corporate

Policy

3

Easy, Secure, Automated

25

op

tio

na

l

26

Self-Service Provisioning for Android

April 11, 201126

1

Go to the

Marketplace

2

Enter Your Email

Credentials

3

Agree to Corporate

Policy

4

IT Services are Auto-

Provisioned

Easy, Secure, Automated

27 April 11, 201127

Benefits:

• Industry-standard security

• Strong authentication for secure

access to communications

services such as Wi-Fi and VPN

• Strong authentication for secure

push email and other applications

• Single sign on for enhanced user

experience

• No impact on battery life

Industry-Standard Security:

Microsoft Certificate Authority

Industry Standard PKI for Strong Authentication

28

Enterprise Application Store

• Recommend and make applications securely available based on group, role, or device type.

– Custom corporate

applications

– Third-party

applications (Apple

App Store or Android

Marketplace)

– Webclips

• Device applicationinventory, audit, andpolicy management

29

Centralized Visibility and Control with ePO

Compliance reports

about

Compliance reports

are based on

systems we know

about

30

What we don’t

manage is

where

compliance

status is

unknown

Centralized Visibility and Control with ePO

31

Bringing all

actions

Bringing all

endpoints into

compliance

status view is

critical to

assessing risk

and prioritizing

actions

Centralized Visibility and Control with ePO

32

Security Solutions for Consumerization of IT

April 11, 2011

Consumerization of ITLaptops and Desktops Virtualized DesktopsMobile Devices

Network Access Control: McAfee NAC Appliance / Network Security Platform

ManagedUn-Managed

McAfee MNAC, McAfee MNAC, Suites, Encryption

McAfee MOVE VDI

Web Applications & DLP: McAfee Firewall / Web Appliance / Network DLP

Security Infrastructure: McAfee ePO, Endpoint, Network, Content, Compliance Portfolio

McAfee EMM and WaveSecure

BYOIT

IssuedBYO

IT Issued

Mobility controls

Policy

Information Handling policy

Information Handling policy

Acceptable Use Policy

•Personal equipment Policy

Acceptable Use Policy

•Personal equipment Policy

Access management Policy

•Contractor policy

•Home Computing policy

Access management Policy

•Contractor policy

•Home Computing policy

Technical Controls

Central Management

suite

Central Management

suite

Point products

•Anti-virus

•Backup

•Location aware controls

Point products

•Anti-virus

•Backup

•Location aware controls

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Data Loss prevention

•DLP clients

•Remote wipe tools

•Encryption tools

Training

User awareness training

User awareness training

Technical Security update

training

Technical Security update

training

Product/solution training

Product/solution training

Risk reviews

Mobile computing review

Mobile computing review

Firewall/gateway review

Firewall/gateway review

System/mail server security

review

System/mail server security

review

Vulnerability scan /

Penetration testing

Vulnerability scan /

Penetration testing

SECURE MOBILITY STRATEGY

Questions?