Guest post byDaniel Castro, senior analyst with the Information Technology and Innovation Foundation.
Although we are only a month into it, 2013 is already shaping up to be an important year for health information technology (IT).
Two recent developments have increased pressure on the health care community to deliver results from government investments in health IT systems. First, concerns about the federal budget are causing policymakers to take a close look at programs with a large budget. As of July 2012, the U.S. Centers for Medicare and Medicaid Services (CMS) reports that the government has spent almost $6.6 billion in incentive payments for electronic health record (EHR) systems, and the amount of money spent on health IT will only continue to grow.
Second, policymakers are taking an extra critical look at any program that appears to be under performing. Whether fair or not, health IT will likely fit this profile as well because of recent concerns that have been raised about the effectiveness of some of these investments. In particular, earlier this month, the RAND Corporation released a report backtracking on its earlier assertion that health IT could save the United States more than $81 billion annually. This claim in the original RAND study played an important role in helping to quantify the potential impact of health IT for policymakers.
The authors of the latest RAND report have raised doubts about the accuracy of that prediction. More importantly, however, they have pointed to a number of factors that have contributed to the lower-than-expected performance of health IT in the United States. In particular, they argue that current performance is the result of slow adoption of health IT systems, the selection by health care providers of EHR systems that are not interoperable or easy to use, and the failure of health IT providers to adapt their processes to the technology.
Many of these problems were somewhat expected. For example, it is not too surprising that healthcare providers adopted systems that are not user friendly since those purchasing the systems are a relatively unsophisticated customer-base. We’ve seen the same type of problems in other areas of government. In the early-2000s, the Help America Vote Act gave out millions of dollars to state and local election officials to purchase new voting systems. Although there was (and is) a strong need to procure more sophisticated voting systems, many of these officials made poor decisions on what types of systems to purchase. We’ve seen the same type of problem in health care.
It is also not too surprising that healthcare providers are experiencing interoperability concerns since the federated, bottom-up approach to building health information exchanges does not properly incentivize data sharing or consumer access to data. The Department of Health and Human Services (HHS) has included some top-down mandates on meaningful use around these issues, but that is no replacement for consumer-driven competition. Still, while the United States may be taking the long route to data portability, at least projects like the VA’s “Blue Button” initiative to give consumers access to data are generally moving us in the right direction.
That is why, even with these minor setbacks, we should still have a positive outlook on the potential of health IT. True the RAND report is a bit discouraging, but it’s also come at an ideal time when healthcare practitioners and policymakers still have time to refine their efforts to implement the HITECH Act. After all, implementation is far from over and there is still time to have a course correction.
For example, HHS was tasked with defining three stages of meaningful use for EHR systems where each stage reflects an increase in complexity and utility. We have passed stage 1, where the criteria focused on capturing important data and reporting clinical quality measures, and we have moved into stage 2, which focuses on exchanging and transferring health information in different settings. The third stage, which focuses on improved outcomes, is not set to occur until 2016, so there is still time to get this right.
And the key to maximizing benefits is to encourage healthcare organizations to meet high performance metrics through the adoption of advanced technologies. A few years ago I co-authored a report on maximizing the benefits of IT. I wrote “Policymakers should recognize that IT is a means and not an end—it’s unreasonable to expect that simply using IT to perpetuate existing analog processes will lead to better solutions. Existing problems shouldn’t just be digitized; IT should be used to find new solutions to old problems.” These same words hold true today in healthcare where providers do not always understand that innovation takes a combination of people, process and technology.
This is why we need to be thinking long-term about how to maximize the benefits of health IT, not only in delivering more effective and efficient care, but also in rethinking how we use IT to innovate in healthcare. There are countless possibilities where IT can lead to radically new solutions in healthcare, from using IT to monitor health in the home to using health data for new types of medical research. But the reality is that we won’t get there unless we constantly evaluate where we are falling short and implement policies to address these problems so we can successfully move forward.
Daniel Castro is a senior analyst with the Information Technology and Innovation Foundation.
Like it or not, BYOD (bring your own device) is a topic that’s not going away. Some consider it a fad, a conversation piece and a topic passé. But, the same was said of the personal computer, the Internet and now, mobile devices in the workplace.
I’ve spent a lot of time recently focused on the work of Gartner, and today is no different. The analyst firm produces some great content and provide some great thought leadership advice and BYOD is no different. Healthcare leaders would do themselves a favor to take note of the following tips from the firm (specifically, Stephen Kleynhans, in this case).
Organizations today must address their BYOD challenges. They are everywhere, in every organization. Users continually and ever more so utilize their own devices, and the trend continues to grow. Doing so, so the argument goes, is that employees’ own devices boost productivity. It’s an argument that’s been said over and over thousands of times.
According to Gartner, users and organizations need to understand BYOD issues and challenges including “security risks from data leakage; financial risks from device cost or support/network contracts; and, compromised compliance/certifications from using sensitive services (location services, GPS etc.). Here is what Gartner feels are the key issues in BYOD adoption in this context.”
Simply put, as we’ve previously discussed here, BYOD is said to help employees perform their roles more efficiently, which is particularly the case for home health professionals and those on call. Additionally, BYOD is supposed to limit tech budgets for organizations, and in large health enterprises this makes a great deal of sense. Essentially, the burden for technology and upgrading it lies on the employee. When they want a new device, they purchase and upgrade it. Obviously, this takes a great deal of pressure off of an organization that might otherwise be forced to upgrade and purchase the technology on an ongoing basis.
“Well framed, comprehensive BYOD policies addressing these issues and challenges can help shift cost to the users and reduce support burden on IT for non-strategic devices,” said Gartner’s Kleynhans.
Additionally, he states that BYOD in in its current form is “largely a ‘don’t ask/don’t tell affair’” where users do what they can, because they can, and devices belonging to senior executives have probably already been made in your organization.
“Prior to instituting formal BYOD, issues related to regulatory, security and compliance need to be reviewed, and an employee’s personal liability and the company’s obligation to its investors or customers may not always be linked. Consider that the loss of user-owned devices carrying sensitive data might lead to serious trust deficits that might be difficult to recover from. If you lack adequate MDM and data protection controls, instituting a BYOD program might backfire,” states Gartner.
Mobile access to company resources should only be granted incrementally based on the users role and needs within the organization, and assigning differing levels of authentication to programs, device fingerprints, location and so on.
“BYOD issues around administering diverse environments will require segmented, policy-controlled architectures, where application delivery focuses on isolating company data rather than targeting complete device control,” said Kleynhans about a concept also known as containerization.
Wherever control of a device or data is not possible, encrypt. “Approaches such as Web apps, virtualized apps and hosted virtual desktops may be used on the server side, complemented on the client side by secure access clients, sandboxes, thin clients and trusted computing devices/dongles.”
Launching BYOD is challenging, and requires a thorough due diligence. Gartner sums it up beautifully: “Extend existing policies wherever possible and ensure that the full range of interested parties such as IT, business, HR and legal are involved to cover all contingencies and legal requirements. Further, your policies need to define clearly what can and cannot be done with employee-owned devices; the level of enterprise network access; privacy restrictions; exceptions; penalties; and, most importantly, liabilities.”
EHR review sites seem to have taken hold. Press releases and announcements galore, they proliferate the web like nearly other consumer review-based site. In the latest round, one of the newest sites, EMR-Matrix, essentially announced its existence and that its staff and leadership would be present at one of healthcare’s largest tradeshows – HIMSS.
What better a place to try to sell its product where the very companies that it will likely hold hostage through its so-called independent review will be present.
According to the company’s release, “The new website offers a way for doctors and health systems to evaluate, test and read reviews of electronic medical record software systems, as well as provide feedback on their own experiences with their existing EMR and practice management systems. Unlike other sites, EMR-Matrix is user content driven and strives to provide the most candid feedback possible about each EMR system.”
I absolutely believe that the (free) market needs dedicated resources that help consumers find the best products at the best prices while exposing a company’s weaknesses and touting its greatest successes, but I’m not in favor of sites bent on trying to manipulate the system.
I may be in the minority, but I don’t believe in review sites, and I don’t use them. Too often, the reviews are skewed toward the negative, the sounds of the blathering loudmouth without a better venue to employ turns to the web and spouts off. They do almost nothing to keep me from experiencing something I want to experience. Certainly, I don’t believe an un-vetted review site about electronic health records is going to do much to sway my opinion one way or another about the quality of a product being professionally produced by a software vendor, but it may sway the opinions of others.
Essentially, the site is taking the business model that Software Advice utilizes and is trying to position itself as another unbiased source of information that also uses aggregated customer reviews to provide the “true” sentiment of a system and its capabilities.
If nothing else, this is just another form of KLAS, which I’ve always been suspect of. Based on my experiences in house at an EHR vendor, I’ve seen the data used to compile the reports and with the conclusions these types of reports drawn, there is a great deal left to the imagination. Companies – Allscripts is an example – that choose not to subscribe to the KLAS and, therefore, forgo receiving the KLAS reports should earn everyone’s respect. They don’t bow to the peer pressure of inclusion and they understand that for the most part, the reports or worth far less than the paper they’re printed on (even though vendors pay upwards of $60,000 to see them). Nevertheless, the data in the reports are suspect and thin, and given the strangle hold KLAS has on vendors, to not subscribe is virtual suicide for the vendor (Allscripts is big enough not to have been too deeply affected, though its products are never anywhere near the top of the rankings in the KLAS reports).
That said, EMR-Matrix and others that come along might do more damage than good. If nothing else, in my opinion, at face value, they seem to be out to capitalize on the market. Let’s hope the consumers of health IT and EHRs see through this thinly veiled attempt, but there’s still some skepticism on my part that this will be the case. My blogger colleagues have agreed with me so I hope those in the market for a new EHR will actually do a little shopping around and testing rather than simply relying on a site such as this.
Unfortunately, some of the collateral damage of a site like this is like that of a “bad” restaurant — once the review hits the web, it pretty much lives there forever. For people like me in PR, and those around me who are actually dedicating their lives to developing what we believe are good, solid, high-quality products to better healthcare, physician’s practices and patients’ lives, we lose because of sites like this. We’re the ones who lose sleep. We’re the ones that lose our jobs. We’re the ones who lose – because of a site that’s pairing the information provided with those seeking it, as relevant.
Ah, venture capitalists. You’ve got to love them. They insert themselves into a variety of topics and industries they know nothing about and pretend they can make everything better about whatever industry they ingest.
I worked for a VC-owned health IT firm for a few months following the sale of a division of a public company. What followed is round after round of layoffs, reduced investment into the product and cuts everywhere something could be cut.
But, I’m a capitalist at heart so I can’t really blame them. They’re out to make money. So am I.
But, what I find it somewhat ironic is that a VC is telling the world that in the near future, nearly 80 percent of what physicians do will be replaced by computers. What’s crazier, at least as far as I’m concerned is that he’s right, if not in whole at least in part.
According to Vinod Khosla is the founder of Khosla Ventures, “Much of what physicians do (checkups, testing, diagnosis, prescription, behavior modification, etc.) can be done better by sensors, passive and active data collection, and analytics. But, doctors aren’t supposed to just measure. They’re supposed to consume all that data, consider it in context of the latest medical findings and the patient’s history, and figure out if something’s wrong. Computers can take on much of that diagnosis and treatment and even do these functions better than the average doctor (while considering more options and making fewer errors). Most doctors couldn’t possibly read and digest all of the latest 5,000 research articles on heart disease. And, most of the average doctor’s medical knowledge is from when they were in medical school, while cognitive limitations prevent them from remembering the 10,000+ diseases humans can get.”
He continues: “Computers are better at organizing and recalling complex information than a hotshot Harvard MD. They’re also better at integrating and balancing considerations of patient symptoms, history, demeanor, environmental factors, and population management guidelines than the average physician. Besides, 50 percent of MDs are below average. Computers also have much lower error rates. Shouldn’t we take advantage of that when it comes to our health?!”
Perhaps what’s most intriguing about his argument is that is just makes sense. By automating the process and reducing the redundancies and inefficiencies, physicians can focus more on the relationship they need to build with their patients. Khosla says in his Fortune piece, that automating healthcare improves relationships. “Providing good bedside manner and answering certain questions can often be handled better by a person than a machine, but you generally don’t need a medical degree to do that.
Nurses, nurse practitioners, social workers, and other less expensive, non-MD caregivers could do this just as well as doctors (if not better) and spend more time providing personal, compassionate care.”
Finally, what may be his most bulletproof part of the argument is that a transition to automation is happening in several other markets or areas that are worthy of taking note of. For example (and I’m citing directly):
Most commercial flying is now done by auto-pilot, not by the captain. Algorithmic trading now drives most stock market volume.
Google’s (GOOG) self-driving car has had zero accidents driving 300,000 miles on normal streets. The same replacement of human involvement by computers will also happen in healthcare.
Because of automation, physicians supposedly will have more time to spend talking to their patients, making sure they understand, and “finding out the harder-to-measure pieces of information because they’ll spend less time gathering data and referring to old notes. And, they will be able to handle many more patients, reducing costs.”
The last point may be a bit of a stretch. I’m not sure any amount of automation can actually reduce costs.
But here’s the heart of the story, the heart of the entire current healthcare story: Where will the innovation come from.
“Innovation seldom happens from the inside because existing incentives are usually set up to discourage disruption. Pharma companies push marginally different drugs instead of potentially better generic solutions because they want you to be a drug subscriber and generate recurring revenue for as long as possible. Medical device manufacturers don’t want to cannibalize sales of their expensive equipment by providing cheaper, more accessible monitoring devices. The traditional players will lobby/goad/pay/intimidate doctors and regulators to reject innovation. Expecting the medical establishment to do anything different is expecting them to reduce their own profits. Granted, these are generalizations and there are many great and ethical doctors and organizations.”
Well put, Mr. Khosla!
What’s going to change it? People in need. Entrepreneurs. Those looking to innovate. Those looking to capitalize. VCs…
Having spent most of my career on one side of a note pad while looking at a source on the other, I’ve often wondered if others have felt the way I have about trying to connect with the story tellers I’ve come to rely upon for my professional endeavors.
As professional reporter and freelancer, I’ve spent much of my life trying to connect with and extrapolate information from those who have it to give and turn that information into compelling stories for the world to read. And, in many cases, even as a public relations professional who worked for an EHR vendor to tell stories to the media about our technology and how physicians used it to improve practice efficiencies and establish their electronic health records, I asked myself the same question: Am I connecting with those I’m speaking with while I work to paint their pictures with my words.
Even now, as a blogger and freelance PR professional I continue to ponder the same question. And, I’ve wondered, if I feel this way when I’m writing a story and the only thing coming between me and my source is a pad of paper, how must it be then for physicians that are now using computers to take notes and build cases histories for their patients during their exams?
One day this argument will be settled as a new generation of docs enters the workplace and take over practices left by their predecessors as they will never know an exam room without some sort of technology – computer or mobile device – but one can’t but help feel (at least now in the infancy of the true EHR days) that there has been a change in the way your physician practices now that he or she has a computer next to your exam table in the exam room.
I’ve noticed that the doctor seems to be some great distance away from me as if I’m having a conversation with someone 1,000 miles away. It’s the same thing as when you are in a conversation with someone while you are toying around your iPhone or Blackberry. You’re there physically, but in mind you are a long way away.
The same can be said for drivers who chose to talk on their phones. Clearly, the individual is behind the wheel letting their body’s muscle memory carry them through the task of shifting, steering and turning, but their cognitive thoughts are in the place of purgatory somewhere between the road in which they are driving and the person on the other end of the line.
With this in mind, just how much is being conveyed and captured by the physician who’s tapping away at their keyboard while their trying to guide you through the eight-minute office visit?
Speaking from the perspective of a professional journalist who has made a career of trying to capture the facts, figures and stories of those sitting next to me while I’m typing or writing away, I can safely say that much is being lost. This is especially true since shorthand and transcription is a skill not being taught at our top medical schools and residency programs throughout the United States. Heck, we can’t even get our young med students trained on using electronic health records prior to graduating into real life so why should we expect our doctors to have the skills of a professional journalist or court reporter.
So, if I still have problems at times with connecting to sources even with nearly 15 years of experience, I can guarantee you that physicians, who don’t make a living at capturing the heart of a story or even its most important elements, that not all of a patient’s most important information will end up in their health record.
As 2013 gets underway, we are in the midst of a health information revolution. As many healthcare providers continue to struggle to implement electronic health record systems and meet meaningful use requirements, the promises of this revolution may seem distant, even non-existent. Indeed, many providers rightly complain that implementing EHR systems has only brought increased expense and declining productivity as they adjust to the new systems. The promises of interoperability, better outcomes, reduced medical errors and lower costs in many cases have not yet been realized.
For others, the promised benefits of electronic health information may be closer at hand. For example, The Wall Street Journal recently reported that two big names in healthcare – UnitedHealth Group, Inc. and Mayo Clinic – will form a new research company to mine de-identified health data from millions of health claims and medical records to identify best practices. This seemingly reflects a realization of one of the touted benefits of electronic health information – to change the way healthcare is provided and to reduce costs by analyzing health outcomes information.
Notwithstanding the electronic growing pains within certain quarters of the provider community, digital health is flourishing and driving the health information revolution. While the provider and payor communities were formerly the sole source of health information, consumer demand for digital health and control over health information is moving the center of the health information universe more toward individuals (the new paradigm) and away from providers and payors (the old paradigm). Both patients and providers report increased use of the Internet to diagnose medical conditions. Digital health services provided via the Internet, smart phones, cable, Bluetooth-enabled devices and other wireless technologies are putting health information at consumers’ fingertips and unlocking it from the confines of providers and payors.
Consumers want their devices to do more, and make health information and services available to them as easily as they may use their phones to search for a restaurant. Smart phone chip manufacturer Qualcomm has established a $10 million prize to develop a mobile medical computing device, inspired by the tricorder device from “Star Trek.” Smart phones and many medical devices now include multiple sensors that can be employed for a variety of health-related purposes and health-related sensors are increasingly being incorporated into clothing and home monitoring equipment. These activities are generating massive amounts of digital health information, facilitated by declining costs of data storage available through the cloud and other low-cost digital storage media.
While providers may no longer be relied upon as the sole source of medical information, they will continue to be relied upon for their medical judgment. Because of the exponentially increasing availability of health information, including genomics information, which is relevant to clinical decision-making, providers will have a significantly higher burden to digest and analyze this available information and manipulate it in the clinical setting. Look for increased use of and demand for data analytics tools in the clinical setting.
In the meantime, our regulatory regime for data privacy and security, including HIPAA and HITECH, is based on the old paradigm and severely inhibits the health information revolution. Ironically, HIPAA, which was intended to address privacy and security in a digital age, stands as a major impediment to digital health. It does so, in part, because it assumes that health information rightly resides with providers and payors (HIPAA-covered entities), rather than with their business associates (including many digital health companies) or consumers. Indeed, with limited exceptions, HIPAA requires that any business associate of a HIPAA-covered entity either return to the covered entity or destroy patient information where feasible when the relationship between the business associate and the covered entity ends.
That requirement effectively constrains information from easily following the consumer, a major objective and promise of the health information revolution. For example, HIPAA makes it difficult for a wellness company to continue to serve an individual if that individual changes health plans or the wellness company stops doing business with the individual’s health plan. In 2013, look for increased pressure to reform HIPAA to allow information to be more readily accessed by consumers and digital health companies. The more than 500 pages of new HIPAA Omnibus regulations that were issued on January 17, 2013, do not change this underlying assumption or effectively address the new paradigm of a patient-centered health information universe.
At the same time, increased use of mobile media by healthcare providers continues to challenge those who are responsible for protecting that health information. Theft or loss of mobile media, including smart phones, laptops, tablets and flash drives, continue to be among the largest source of data breaches, prompting the federal government recently to issue specific guidance on how to use such devices in compliance with HIPAA. (See,
This guidance recommends limiting offsite use of mobile media that may contain health information. While this position is understandable, it reflects the old paradigm view that information remains within the control of the providers and payors and ideally not leave the controlled environment of their facilities. Healthcare facilities and other companies that use mobile media containing patient information will continue to face challenges with implementing use of such devices, given the current regulatory regime.
Drew Gantt leads Cooley LLP’s Health Care and Life Sciences Regulatory Practice. Gantt is a partner in Cooley LLP’s Business Department and a member of Cooley’s Life Sciences Practice Group. His practice focuses on healthcare and life sciences regulatory counseling, complex transactions and strategic business advice.
I’m not unique in that during this time of year I love to take a look at predictions made by some of the industry’s “best” and see if their predictions make sense, are surprising in a good way or if they are surprising in a stupid way.
With that in mind, I came across an interesting piece in Canadian Manufacturing of all places that features several intriguing predictions by analyst firm Gartner that I think are worth a look here as they have peripheral relation to healthcare.
So, here we go. Gartner’s top IT predictions include:
By 2015, big data demand will reach 4.4 million jobs globally, but only one-third of those jobs will be filled. According to the report: “The demand for big data is growing, and enterprises will need to reassess their competencies and skills to respond to this opportunity. Jobs that are filled will result in real financial and competitive benefits for organizations. Note that enterprises need people with new skills—data management, analytics and business expertise and nontraditional skills necessary for extracting the value of big data, as well as artists and designers for data visualization.”
In a market like healthcare, where highly skilled jobs are often difficult to fill, we should understand this prediction to be very true and one not to take too lightly. Some of these job vacancies will be at health system that needs the data to meet federal reporting requirements. The individuals with these skills will have a great deal of clout as they eventually move into the job market.
Employee-owned devices will be compromised by malware at more than double the rate of corporate-owned devices. “Corporate networks will become more like college and university networks, which were the original “bring your own device” (BYOD) environments. Because colleges and universities lack control over students’ devices, they focus on protecting their networks by enforcing policies that govern network access. Gartner believes that enterprises will adopt a similar approach and will block or restrict access for those devices that are not compliant with corporate policies. Enterprises that adopt BYOD initiatives should establish clear policies that outline which employee-owned devices will be allowed and which will be banned.”
BYOD continues to rear its head so don’t be caught unawares. AS Gartner predicts, you must have a plan for mobile device management and personal device use in the workplace. Ignorance is not bliss, in this case, and since employees are currently using their own devices in the healthcare setting where very important personal information can be exposed, develop a policy, stick with it and let your employees know you have one in place. Circulate it!
By 2016, wearable smart electronics in shoes, tattoos and accessories will emerge as a $10-billion industry. “The majority of revenue from wearable smart electronics over the next four years will come from athletic shoes and fitness tracking, communications devices for the ear, and automatic insulin delivery for diabetics. CIOs must evaluate how the data from wearable electronics can be used to improve worker productivity, asset tracking and workflow.”
Healthcare will play a role in how wearable electronics and traceable devices are used to track the health of individuals, especially in outpatient and in-home care. The data from these devices will flow directly into your EHR and become part of the patient record. Physicians will be forced to learn the benefits of these devices and patients are going to need to accept it.
By 2014, market consolidation will displace up to 20 percent of the top 100 IT services providers. “The convergence of cloud, big data, mobility and social media, along with continued global economic uncertainty, will accelerate the restructuring of the $1 trillion IT services market. By 2015, low-cost cloud services will cannibalize up to 15 percent of top outsourcing players’ revenue, and more than 20 percent of large IT outsourcers not investing enough in industrialization and value-added services will disappear through merger and acquisition. CIOs should re-evaluate the providers and types of providers used for IT services, with particular interest in cloud-enabled providers supporting information, mobile and social strategies.”
The prediction smacks of the ongoing discussion about the EHR vendor market and how much longer it can contain the number of players. Certainly, we’re seeing deterioration of this segment now, though it has been expected to erode more quickly than it has. Expect there to be fewer EHR vendors in the next 12 months, and realize that no vendor is too big to fail (see Allscripts). Prepare early and do your due diligence before signing the dotted line.
I’d love to know your thoughts. Do you agree with these predictions and my assessments? What are yours?
In a great new white paper, “Essential Enterprise Mobile Security Controls,” sponsored by Blackberry and posted by Tech Target, mobile device security is the feature show. As it continues to be the main event for mobile technology, mobile devices will continue to be used to carry high-value personal and company information, as expected.
When personal devices are disconnected from company networks, security risks were relatively low, according to the report, but as the technology permeates and its use becomes even more closely connected to the work environment, the risks to security increase significantly.
Apparently things have been pretty slow until now, but that’s not likely to last. The turning point is here and hackers are on the move, including on iPhones, as well as the Android market place. Given these continual threats, and the importance of the data healthcare organizations protect, the need for improved mobile security controls an imperative for any organization looking to leverage mobility for competitive advantage.
According to the report, “A key challenge for improving mobile security is to understand what tools are available and how they can be leveraged.”
The following is a list of must-have mobile device security controls to protect workers and organizations, again according to Blackberry:
Device security. Remote lock, wipe and backup/recovery can help reduce the risk associated with lost or stolen devices. According to SearchSecurity.com, lost and stolen devices rank among organizations’ top mobile security concerns, and for good reason: “The easiest way to lose data via a mobile device is to lose the device itself. Every enterprise sanctions (or doesn’t prohibit) BYOD must ensure that any supported device can be locked and erased remotely, and that valuable data is backed up to a location under the organization’s control.”
Network security. The increased number of smartphones and other devices that are carried into the enterprise by end users increases the threat to corporate networks.” Attackers have started seeking ways to use unsecured mobile devices as a means to leapfrog into otherwise protected areas of the network, including databases.
Malware defense. The oncoming wave of mobile malware requires protection, like antivirus, personal firewalls, Web filtering and anti-spam. “It’s becoming necessary to invest in mobile add-ons from traditional antimalware vendors, or consider a mobile device management (MDM) product that can, among other things, facilitate the extension of anti-malware to a variety of mobile devices.”
Threat intelligence. Large enterprises should invest in threat monitoring tools and research teams, and train them on how to not only identify mobile threats, but enable rapid response. These functions can be closely tied to existing log analysis and security information and event management (SIEM) processes. “The most important tactic here is to develop a baseline of “normal” mobile device activity and use analytics and real-time monitoring to spot deviations that may be a sign of an attack.”
Centralized management. Central management tools provide a “single pane of glass” to set and enforce policies and perform many other security-related functions across all mobile devices. This is becoming an increasingly important capability in organizations where multi-platform support is essential.
Data encryption. Files, contacts and email need to be encrypted on mobile devices in the event of loss or theft. Each platform comes with different encryption challenges, some requiring additional encryption application for the data that lives on the device. While the market for mobile encryption for data in motion is immature, new options are emerging all the time.
Over-the-air capabilities. Mobile security requires over-the-air provisioning and configuration to ensure that workers always have the latest security capabilities without burdening IT, forcing them to physically touch each device. As demand grows for an increasingly diverse landscape of mobile devices, this feature is crucial for enterprises that need to scale their mobile security provisioning efforts.
According to the report, and this is a nice summation of the report (and I quote): “Mobile security is still in its infancy, but the trends around connectivity, device evolution and worker mobility means organizations must start planning their mobile security strategy now, and that process begins with assessing what mobile security controls are needed and developing a plan to put those controls into action.”