“They are putting work and patient information on the devices,” says Tom Walsh, president of Tom Walsh Consulting LLC, a health information security firm. “How in the world are we going to enforce security?” That question is the focus of a roundtable session that Walsh will moderate with Dennis Seymour, senior security architect at ELLUMEN, a health information technology services vendor, at HIMSS12 in Las Vegas.
They’ll talk about three basic policies, or security controls, that have to be in place: start-up password or pin, automatic log-off and encryption. “A policy is like a speed limit on the highway; it’s more like advice unless enforced,” Walsh says. That means the devices should be registered through third-party software to technically enforce the security policies. It’s also a good idea to set up personal and business memories in personal devices, so if a device is missing but could be found it is possible to automatically erase only the business data.
What won’t work with mobile computing security are rigid policies that don’t offer a middle ground, Walsh contends. Some hospitals, he notes, have policies that personal devices cannot be brought in. “Oh yeah, good luck with that.” A blanket policy like that will work as well as keeping employees off the Internet worked a decade ago, he predicts.
Walsh and Seymour will explain regulations specific to medical device security, risks the devices bring into a network environment, and who is responsible for mitigation of risks. The session, “Security Risks Associated with Mobile and Medical Devices & Applications,” is scheduled on Feb. 24 at 10 a.m.
Be the first to comment on this post using the section below.