HIMSS12 Preview: Getting Personal with Mobile Devices
As more patient information becomes electronic and physicians buy mobile computing devices such as tablets and smartphones, they want to use these personal devices when in the hospital to conduct business.
As more patient information becomes electronic and physicians buy mobile computing devices such as tablets and smartphones, they want to use these personal devices when in the hospital to conduct business.
“They are putting work and patient information on the devices,” says Tom Walsh, president of Tom Walsh Consulting LLC, a health information security firm. “How in the world are we going to enforce security?” That question is the focus of a roundtable session that Walsh will moderate with Dennis Seymour, senior security architect at ELLUMEN, a health information technology services vendor, at HIMSS12 in Las Vegas.
They’ll talk about three basic policies, or security controls, that have to be in place: start-up password or pin, automatic log-off and encryption. “A policy is like a speed limit on the highway; it’s more like advice unless enforced,” Walsh says. That means the devices should be registered through third-party software to technically enforce the security policies. It’s also a good idea to set up personal and business memories in personal devices, so if a device is missing but could be found it is possible to automatically erase only the business data.
What won’t work with mobile computing security are rigid policies that don’t offer a middle ground, Walsh contends. Some hospitals, he notes, have policies that personal devices cannot be brought in. “Oh yeah, good luck with that.” A blanket policy like that will work as well as keeping employees off the Internet worked a decade ago, he predicts.
Walsh and Seymour will explain regulations specific to medical device security, risks the devices bring into a network environment, and who is responsible for mitigation of risks. The session, “Security Risks Associated with Mobile and Medical Devices & Applications,” is scheduled on Feb. 24 at 10 a.m.
“They are putting work and patient information on the devices,” says Tom Walsh, president of Tom Walsh Consulting LLC, a health information security firm. “How in the world are we going to enforce security?” That question is the focus of a roundtable session that Walsh will moderate with Dennis Seymour, senior security architect at ELLUMEN, a health information technology services vendor, at HIMSS12 in Las Vegas.
They’ll talk about three basic policies, or security controls, that have to be in place: start-up password or pin, automatic log-off and encryption. “A policy is like a speed limit on the highway; it’s more like advice unless enforced,” Walsh says. That means the devices should be registered through third-party software to technically enforce the security policies. It’s also a good idea to set up personal and business memories in personal devices, so if a device is missing but could be found it is possible to automatically erase only the business data.
What won’t work with mobile computing security are rigid policies that don’t offer a middle ground, Walsh contends. Some hospitals, he notes, have policies that personal devices cannot be brought in. “Oh yeah, good luck with that.” A blanket policy like that will work as well as keeping employees off the Internet worked a decade ago, he predicts.
Walsh and Seymour will explain regulations specific to medical device security, risks the devices bring into a network environment, and who is responsible for mitigation of risks. The session, “Security Risks Associated with Mobile and Medical Devices & Applications,” is scheduled on Feb. 24 at 10 a.m.