Monday, July 23, 2012

The BIDMC Laptop Encryption Program

I've been writing about the Bring Your Own Device (BYOD)/Consumer IT challenge for the past several months.  Today, an action plan goes into effect.   Here's the message we sent to employees:

"Information Systems will be conducting an aggressive campaign to ensure every mobile device is encrypted. This initiative applies to all staff and students. The program is mandatory and required for any mobile device used to access BIDMC-related systems, programs or documents, including email, clinical applications and administrative documents such as financial spreadsheets, grant information or staff lists.

Many of you participated in last month’s program regarding smart phone devices used to connect to the Exchange email system using ActiveSync. These devices now require password protection. Look for more information soon on new smartphone encryption and 'auto wipe' requirements.

Securing Laptops and iPads

The next stage of work is encrypting laptops, iPads and other tablet computers. It will proceed in two phases.

The first phase, beginning this week, focuses on institutionally owned laptops and iPad-type tablet computers.   Other versions of tablet computers will be addressed in a later phase.  Service depots will be set up in and around the main campus. The first location will be the Center for Life Sciences (CLS). This building was chosen because it has the largest population of laptops and iPads.  

We appreciate the cooperation of staff of CLS especially because you are the first to undergo this new process. The CLS experience will guide IS planning for the entire medical center.   We will coordinate our encryption program with Research Administration’s research equipment inventory project, eliminating redundant phone calls to investigators.

What You Need to Do

Prepare Your Device – Prior to dropping off the laptop or iPad at the service depot, delete unneeded applications and data. All valuable data and important files, email, applications and other documents stored on the device should be backed up to your network home directory. Do NOT back up the data to an Internet cloud service such as Apple’s iCloud, or DropBox. Storing protected health or personal information on these sites is against corporate security policy. 


Schedule an Appointment - Information Systems will contact staff for which records show you have been issued an institutionally funded laptop or iPad.

Leave the Device - Encrypting a device may require several hours depending on the method used. For this reason, you will be expected to leave the device at the service depot. Every attempt will be made to complete the work within the same business day.


Pick Up the Device - Upon returning the device, depot staff will brief you on what work was done and your on-going responsibilities for maintaining the security of the device. You will be asked to start the device from a cold boot and verify it is in working order.

What IS Will Do


Intake – To qualify under HIPAA/HITECH 'safe harbor', full disk encryption is required. On arrival at the service depot, an initial assessment of the device’s configuration will be done to determine the most appropriate encryption method, e.g. software or hardware based. Some devices have encryption built in, but it needs to be activated. The method used will depend on the make, model and operating system version of the laptop or tablet computer.


Inspection - The service depot staff will scan the device for malware and vulnerabilities.  They will check configuration settings to assure they comply with corporate security policy such as power-on password, inactivity timeouts, and, for iPads, auto wipe. If time permits, depot staff will apply operating system and third party software patches necessary to eliminate security vulnerabilities.  If malware is detected, the device will be cleaned or re-imaged depending on the nature of the malware. The network address of the device will be recorded so I.S. knows it has been inspected when it appears on the data network. When practical, management (Microsoft SCCM for Windows or Casper for Macs) and anti-virus agents (McAfee EPO) will be installed to allow Information Systems staff to keep the device in good security hygiene throughout its life while in use at BIDMC.


Inventory the Device for Research – If your computer is one that still needs to be scanned as part of the bi-annual Research inventory required by federal law, a member of the Research Administration staff will scan the inventory tag while it is at the depot – or apply an inventory tag as needed. We are combining these efforts to make it more convenient for users.


Return - See #4 above.

What is Next?
The dates and locations for other service depot sites will be announced later this month as IS continues to secure laptops and iPads throughout the medical center.

The second phase will extend the program to other models of institutionally owned tablet computers as well as personally owned laptops and tablet computers that are used to access BIDMC-related data. This phase will begin in the fall after work on institutionally owned devices is completed. We will assist in encrypting and, time permitting, patching the devices. Once done, it will be the responsibility of the owner to maintain the encryption and healthy state of the device.

Information Systems will periodically check your mobile device to ensure the safeguards are still in place. Additionally,  staff must attest, each time their password is renewed, that all mobile devices they use for hospital related business, including personal devices, are encrypted.

From this point forward, newly acquired laptop and tablet computers purchased from institutional funds cannot be used to access the BIDMC data network until their encryption status is verified by Information Systems.

Information Systems will monitor the network for rogue laptop and tablet devices that have not been screened for compliance. If a device is discovered that has not been screened, Internet access privileges will be blocked."

As I've told the press, it is no longer sufficient to rely on policy alone to secure personal mobile devices.    Institutions must educate their staff, assist them with encryption, and in some cases purchase software/hardware for personal users to ensure compliance with Federal and State regulations.   Over the next few months, I'll write several posts about our lessons learned supporting personal device security enhancements.

2 comments:

Anonymous said...

The post mentions that using services such as iCloud and DropBox is against corporate security policy. What about services that provide client-side encryption such as SpiderOak, Wuala, or aes.io?

Unknown said...

John
I trust and presume that such steps are being taken for convincing reasons. Those of us running applications via Virtual Desktop or via Citrix have believed the PHI data couldn't become resident on the device, and thus BYOD was acceptably safe. I am very much looking forward to learning how you thought through the BYOD issues and risk and decided the careful steps you outlined in your blog this morning.