Deploying a Mobile Device Management Strategy in Healthcare or Elsewhere
Guest post by Marcus LaFountain.
A recent Ovum study showed that almost 60 percent of employees bring some type of mobile device into the workplace. There are a few names for this, Bring Your Own Device (BYOD), Bring Your Own PC (BYOPC), Bring Your Own Phone (BYOP), User Introduces Unsecure Device onto My Network and Then Loses My Secure Data (UIUDOMNTLMSD).
Alright, so I made that last one up, but that is how most IT managers feel when the discussion is started about BYOD. An end user bringing a device to work is both a gift and a curse for any sized company. We see an increase in productivity but also the increased threat of data being lost or stolen. Having a strong mobile device management (MDM) strategy can help companies reap the benefits of BYOD while limiting the consequences.
Let’s start by going over some numbers. By 2014, the number of mobile devices (mostly mobile phones) in the workplace is expected to reach 350 million globally. A remarkable 57 percent of full-time employees are already using mobile devices for work related tasks. Out of that 57 percent, about half is unmonitored, un-managed BYOD activity. Another study shows that in 2011, 78 percent of companies did not have a BYOD policy and only about 20 percent of employees actually sign a BYOD policy.
There are many reasons to justify a BYOD policy:
Productivity: An employee who uses their personal device for both work and play is on average likely to work an extra 240 hours per year than those who do not. They can answer emails on the go, answer phone calls while on the road (using a hands-free device of course!) and receive that last minute meeting update. Most employees won’t want to bring a work laptop home just to check emails after dinner or during downtime at home. Letting them receive emails may empower them to write a quick mail back to a client in a different time zone rather than having to wait until the morning.
Cost: There is also a cost justification. Not having to provide every employee with a business only device can save not only the cost of the device but the monthly service plan that goes along with it. The number of devices can be reduced as well. A mobile phone is a cheaper and sometimes more convenient alternative than a laptop with a 4G cell card. Employees can still stay connected when not physically at their desk.
User Experience: Tech savvy employees tend to have strong preferences when it comes to the technology they choose to use. Forcing an Android user to use a BlackBerry device may not be an ideal situation. Giving employees the ability to choose their mobile operating system, screen size and other technical specs may make them more likely to use the device rather than it sitting in a desk drawer unused.
However, it isn’t all sunshine and rainbows in the world of BYOD. As the use of mobile devices increase in the work place, so do the number of malicious attacks. According to the Ponemon Institute, six out of 10 security breaches were traced back to mobile devices. Apple and Google are constantly removing mobile malware from their app stores. And as always, attackers are trying to pick the low hanging fruit of the mobile community first. Businesses must have policies and security measures in place to protect their data. In 2009, the U.S. government enacted the Health Information Technology for Clinical Health Act (HITECH) that requires healthcare companies to notify patients if they have had their health records compromised. Similar acts were also put in place in the financial industry.
Constructing a comprehensive mobile device management (MDM) policy is imperative when users are allowed to bring and use their own devices. As with many policies, the contents may vary greatly by company. However almost every company from small businesses to enterprises will need to focus on security and support.
Security: A lost or stolen device is the most common type of security breach. A company must have measures in place to combat this. While an entire article can be written about mobile security, I will touch on some common features. Both Android and Apple offer AES 256 – Bit encryption as a standard on their devices. Lock screens, passwords and certificates all play a role in device management as well.
Microsoft Active Sync and other software also allow administrators to perform a remote wipe of a compromised device. This is a necessary requirement when employees have company data on their mobile phones. Samsung has developed an Enterprise suite called SAFE that allows the user to partition company data with personal data. It also gives administrators the ability to perform a complete or selective wipe, tracking of the device and local password enforcement. Apple and other mobile providers are starting to or already have incorporated these features as well. If your company is using application virtualization, you may need to define new rules for allowing mobile devices. Users will also need a way to get a hold of someone 24/7 in the event of a lost or stolen device.
Support: This may be a slippery slope for some. Most IT policies only allow for support of company devices. So who supports a personal device that is used for business? Depending on the size of your company, you may want to assign a dedicated resource from your IT security team to manage your MDM policy. If you are an enterprise, you may need a small team to manage different aspects of the policy. Your helpdesk will need training on the various mobile operating systems and communication will need to be sent out to end users on how to stay on top of security. Documentation will need to be created on how to setup email, VPNs and passwords. Do you need to setup an approved device list or will you allow any manufacturer or mobile OS on the network? A pilot group (usually IT) will need to be put in place to test your new systems and policies as well. Audits should also be enabled to check for OS updates, application updates and security updates.
In a growing mobile market and the on demand nature of business today, IT management will need to be one step ahead of its users by developing a MDM policy. When developing an MDM strategy, you must take into account your business needs as well as infrastructure requirements. Like any new implementation it is ideal to begin testing your technology and policies with a small subset of users and conducting a review process before rolling out corporate wide. Doing so may limit mistakes while in a beta phase instead of having them on a mass scale. Focusing on security and support will allow for a comprehensive strategy that will allow employees to operate efficiently and productively but most importantly safely
Marcus LaFountain has worked in IT for the last 10 years as a PC technician, Helpdesk analyst, and system administrator. He is currently a healthcare IT consultant specializing in Cerner and HIM implementations.