BYOD continues to challenge hospitals' security boundaries

As "Bring Your Own Device" continues its march into healthcare--remember Aruba Networks' recent data showing 85 percent of hospitals allow BYOD--CIOs continue to adapt their security policies to control a myriad of devices and security settings.

Mobile cheerleader John Halamka, CIO of Beth Israel Deaconess Medical Center in Boston, put forward a few new tweaks to his own organization's policy in an post to his Life as a Healthcare CIO blog last week. For instance, Halamka believes that CIOs need to:

Make passwords still top priority: Halamka uses a remote wipe setting for all his organization's Blackberry users--wiping the device after 10 failed password attempts. He notes, however, that this is less possible with Apple and Android devices, where corporate and personal data are more difficult to segregate.

"Given that we cannot selectively purge corporate vs. personal data, we'll likely avoid that setting for now," with anything except Blackberries, he says.

Other experts recommend requiring long, complex passwords--no matter how much clinicians complain--as well as disabling simple passwords like 1234 or ABCD.

Create server settings that query devices as employees log on: What's more, Halamka says, only allow access from those that adhere to your password and other enterprise security settings.

Other BYOD advice we dug up includes:

Put Web filtering and application control technologies on your server: This will allow better control to track users' Web movements, and prevent them from using apps that might leak patient information, suggests Kevin Flynn, marketing manager for security firm Fortinet.

Get a lock on device location: Some vendors like Absolute Software, use locator services like LoJack to help hospitals quickly find devices that have been lost or stolen, according to a February commentary in InformationWeek.

Keep watching for more robust mobile device management: While many tout its value, Kaiser Permanente's senior security architect, Mark Kadrich, recently complained that they simply aren't powerful enough yet to protect an entire enterprise's mobile layout, particularly when much of that is BYOD.

To learn more:
- read Halmaka's blog post
- here's the InformationWeek piece
- dig into the FortiBlog post
- check out eWeek's piece on Aruba's BYOD data