Once it allows employees and clinicians in its hospitals to start using iPhones and iPads on the job on Oct. 1, the biggest issue for the Department of Veterans Affairs (VA) is information security.
Employees will be able to view sensitive data, but be unable to download and store information on a mobile device unless it meets security requirements. The viewer tool is a capability that VA has utilized for other devices, such as employees’ home computers, said Roger Baker, VA CIO.
The two devices are the first of many, over the long term, that VA anticipates will be able to connect to its network and access veterans’ information. The government-acquired BlackBerry has been the sole smartphone or mobile device that VA has sanctioned on its network.
Baker announced in June that VA would begin in October to allow the most popular mobile devices, but did not name them.
The Apple devices will be used primarily for administrative type of information, encrypted e-mail and for general access to the VA network and its electronic medical system.
Employees and medical staff who want to access VA’s network using an iPhone or iPad must first be authenticated at their facility as an official VA user. VA will apply mobile device management (MDM) software, which is available from a variety of vendors, to secure, manage and monitor mobile devices across service providers and organizations, before the Apple device can connect to the VA network to assure a secure environment.
“It’s not just about encryption but the device characteristics, its ability to keep various programs from interfering with one another and our ability to detect what’s occurring on the device so we are confident that the information is protected,” Baker said at a July 25 briefing with reporters.
VA is considering allowing applications to actually store information on the device – but must first verify that the encryption of the information and the security controls on the device are adequate.
The expectation, based on a pilot that is underway, is that the encryption being applied on the device will be adequate for the type of information that can be put on the device, even if it may not meet the federally required Federal Information Processing Standard (FIPS) 140-2 for encryption from the National Institute of Standards and Technology (NIST).
“I will accept the risk for the organization that that encryption is sufficiently strong, that it does not present an undue risk of information breach,” Baker said.
“We’ve got to make certain that the applications that we allow to run on the device are broad enough that we’re not going to be draconian in our requirements,” he said. On the other side, users are going to have to recognize that there are apps that could cause security issues. “If we haven’t checked it out, we’re going to have our primary concern be the security of any information on that device."
Over the long term, VA wants to let employees use devices that they have bought themselves. “But we will enforce the same security on the personally owned as government owned devices,” said Baker.
VA has 330,000 employees, clinicians, and other potential users for mobile devices. The department has bought as many as 30,000 BlackBerry smartphones. But VA privacy reports have shown that many employees are already using Apple devices and other electronic tools without authority.
“Do I want them to be used the way that I have defined so I feel there is a high degree of security? Or do I want the users to define how they are going to use them? As CIO, if I am the chief ‘no’ officer, then my users are going to figure out a way to have ‘yes’ be the answer," said Baker. Instead, these devices will be certified and will use encryption technologies that have been submitted for certification, he added.