Page 61 - index
P. 61
player in the overall risk management program, and to include technical verification controls to
confirm the device continues to be trustable for handling EHRs.
In the end, many wonder if healthcare institutions should limit which devices can access EHRs,
in hopes of improving security. In reality, reducing variability and controlling environmental
factors can certainly make for a more successful risk management program, but that comes at a
cost: how do IT folks make those decisions on which devices to trust? How do they determine
what they are dealing with? Increased ecosystem/environmental control can be advantageous,
but only with the correct limits. If institutions limit the use of mobile devices, there’s a potential
for a decrease in patient satisfaction and patient care.
Since each IT department has different staff skills and experience, and different capabilities in
terms of technical security controls and processes, an IT department should aim toward choices
that are amenable to their existing methodology to manage devices and risk. Another situational
aspect to consider is whether the organization will supply and manage the devices, or if they
expect users/employees to utilize their own personal devices. The choice can drastically affect
the types of practical security controls and processes that can be implemented. If personal
devices are used, then further considerations need to be made regarding the other types of
personal applications that may be on the device, and the potential security implications of
sharing a device for EHR use and personal use. BYOD and mobile access to EHRs allow
healthcare employees to increase customer satisfaction and patient care. Healthcare institutions
can address security concerns by implementing mobile and data security solutions that keep
patient information safe.
About the Author
Jeff Forristal, Chief Technology Officer
Jeff Forristal has been a security technology professional in the security
industry for over a decade. His professional background includes all
things security, spanning across software, hardware, operations/IT, and
physical access control. Jeff has written multiple features and cover-story
articles for Network Computing and Secure Enterprise magazines; he is
also a contributing author to multiple books. Under the pseudonym “Rain
Forest Puppy,” Jeff has been recognized as an industry expert in web
application security and was responsible for the first documented security
discover of SQL injection, the first publicized responsible security
disclosure policy, and the first intelligent open-source web application
scanner. He has presented his security research in many forums, from established events like
BlackHat and CanSecWest to smaller regional conferences around the world.
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
