Conversation with Shahid Shah on mobile security, Part 2

Posted: November 4, 2010 in Endpoint Management, Expert Q&A, Industry Commentary
Tags: , , , , , , ,

This week, we feature the second part in our series with Shahid Shah, an enterprise software analyst that specializes in healthcare IT with an emphasis on e-health, E M Rs, data integration, and legacy modernization.  He is also founder of the popular Healthcare IT Guy blog.

VPN Haus: Let’s talk about data encryption, security, and safety.  What role does that play with mhealth?

Shah: Security and safety both play key roles in healthcare generally and mHealth specifically because trust is paramount. Companies like RIM, considered the best in mobile security, use what’s called “end point encryption” on the devices and centralize management of that encryption. With end-point security like RIM’s, it’s very nice because everything is fully encrypted both at rest on the mobile device and in transit so it’s not easy to eavesdrop on those messages.

Other common devices iPhone and Android (of course non-smartphones) don’t have encryption typically set on the highest settings and do not have centralized enterprise-wide security policy settings which means they are likely not very secure. Unsecure and non-encrypted mobile phones are actually quite dangerous and unless you have a good system administrator who understands a heavy smartphone use environment and sets up the right policy it can lead to unintended data leakage if a phone is stolen or lost.

From my perspective, encryption at rest and encryption at transit are being handled really well. But it’s important to remember, while the phone may support it, it doesn’t mean that every application is using it that way. Another thing to keep in mind is that security and privacy are not the same thing: government regulations require both.

VPN Haus: What about simple human error? How do you protect against this?

Shah: This is where system and phone administrators struggle. When you have central administration, like with BlackBerry or Windows, it’s easy to say “everybody needs a pin or an access code to get on your phone.” But with Android or the iPhone, you have to tell users, “always make sure your phone has password protection.”

Even with remote wipe, having password protection for your phone is important. This way, you can go to your administrator and say, “hey, I lost my phone, can you please erase it?” Knowing that it’s password protected, both you and your administrator know you’ve bought some time. Those two things alone can do a world of good. But to a lot of people , it’s too hard to require a PIN for each use so they just leave it off. People don’t want to put in a four-digit code on their iPhones every time they want to use it. This is a policy, unfortunately, that you can’t enforce without some centralized tools and it’s imperative to use them.

Stay tuned, next week we’ll continue our conversation with Shah, discussing HIPAA and the future of mobile health security. For part 1 of the series, click here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s