Rethinking Remote Access
As I travel the country, I find that CIOs everywhere are struggling with BYOD in particular but remote access more generally. Who is responsible if:
- A personal unencrypted laptop with email containing personally identified/protected healthcare information is stolen? The CIO of the institution providing email takes accountability and reports the theft to appropriate government regulators.
- An employee prints a web page on their home computer and patient data is discovered blowing around in a nearby dump? The CIO of the institution hosting the patient data is responsible.
- An employee with a malware infected but encrypted smartphone accesses a web application and a keystroke logger sends the username/password to hackers in Asia who use it to send spam? The CIO is responsible for all the consequences.
Policy against using personal laptops, home desktops, and smartphones for processing of healthcare data is not sufficient. CIOs must use technology controls to mitigate risk of data loss.
For example, BIDMC has already used AciveSync to enforce encryption of every smartphone accessing our network and to deny access to those smartphones that do not support encryption.
Personal laptops and home desktops are much harder to control. Purchasing institutionally supported laptop/desktop devices for every user needing remote access would be cost prohibitive.
Rather than try to manage the home clients that have multiple varieties of hardware, operating systems, and third party apps, it's more practical to impose restrictions on who can access resources remotely, where they can access resources from, and what they can do (block downloads and printing). Solutions I've heard from industry experts include:
1. ActiveSync as the only means of smartphone email access with a configuration to require encryption of client devices. Use Outlook Web Access as the only laptop email access method and close all other types of remote email access - WebDav, Web Exchange Services, and RPC over HTTPS, IMAP, POP
2. SSLVPN for all remote access to all applications (including web portals) with configuration settings to prevent remote downloads and printing
3. Citrix or Virtual Desktop Infrastructure, which typically does not persist data on local clients.
I've described security as a continuous improvement process -- the journey is never done. I'm curious what you are doing to restrict remote access in a world of malware, BYOD, and enhanced regulatory enforcement. Comments are welcome!