BYOD approach makes inroads at Kaiser Permanente

The bring-your-own-device trend continues to snowball. After a recent report from Aruba Networks found that 85 percent of hospitals are supporting mobile BYOD, healthcare giant Kaiser Permanente admits it's working on a BYOD policy of its own.

We found a discussion of Kaiser's plans in a larger story at Network World. Mark Kadrich, Kaiser's senior security architect, admits that employee demands have driven the company to create a workgroup to identify standards that might allow iPad, iPhone, Android and several other devices onto the Kaiser networks. Right now, the group is actively testing several hundred iPads and Android devices, Kadrich says.

He has serious reservations about BYOD, make no mistake. Kadrich tells Network World that mobile device management systems, which many in healthcare hope will provide needed security, aren't nearly hefty enough to do the job for an enterprise-wide rollout. "I'm not convinced MDM is cost-effective or appropriate," he says.

Joe Nocera, principal of the IT security division at PricewaterhouseCoopers, which has done its own major research on mobility issues recently, agrees, calling most MDM systems' functionality "very limited. All they do is secure email fairly well," right now, he tells Network World.

Some security experts, bowing to the clear trend, recommend adding MDM as just one cog in the security machine. Health Data Management blogger Rob Humphrey, security director for Kensington Security, just a few weeks ago recommended a three-tier security protocol for mobile devices: 1) physical security with electronic tethers or locking cases; 2) data security on the device with auto-lock functions, device-level encryption and the like; and 3) network-level security that forces all mobile devices to be authenticated by the network before access is allowed.

Kaiser is working on another solution to circumvent some app- or software-specific security issues, such as malware piggybacking on apps, or apps siphoning and transmitting user information to third parties. The solution: An ultra-strict, curated app store. The Network World article says that the process goes "beyond the iTunes and Android store approach, in an effort to define strict coding practices" for acceptable apps and other software.

Kaiser right now is asking its mobile software vendors to pony up their blueprints for tracking and monitoring security problems, software flaws, or anything else that might endanger an end user on the Kaiser system.

To learn more:
- read the Network World story
- read the Health Data Management analysis