VA moves to protect BYOD devices
The Department of Veterans Affairs expects to formally award a contract for mobile device manager software by Sept. 30. The technology will enable VA to ultimately support up to 100,000 devices and allow employees and clinicians to use their own devices.
The “bring your own device” (BYOD) policy, however, will set limitations regarding data security on personal devices to protect veterans information, according to Roger Baker, VA CIO.
[See also: 6 keys to developing a BYOD program]
For example, thousands of medical students practice annually at VA hospitals, and with the mobile device manager, they will be able to use their own mobile devices if they agree to certain restrictions.
Baker anticipates that the mobile device management (MDM) vendor will be publicly announced next week. VA is slated to select the vendor by the end of federal fiscal 2012, which is Sept. 30.
VA has already awarded $500 million in IT contracts in September in order to get in under the fiscal year-end deadline, he said during a Sept. 26 briefing with reporters. VA external spending for IT in 2012 is between $2.3 billion to $2.5 billion.
MDM to support 100,000 devices
[See also: Kaiser goes mobile with 9 million strong]
The MDM software will be more robust than the mobile manager now in place and will be used across the VA enterprise. Over time, VA expects the MDM to support up to 100,000 bought or brought devices, which could be Apple iPhones and iPads and other smart phones as they are introduced to the department, in addition to the currently managed Blackberries.
Once the MDM contract is awarded, VA will consider an internal apps store, Baker said.
It’s not clear how many mobile devices the VA will buy, and when it does, the mobile devices will not be just one particular brand.
“We will look at the business case for productivity and savings from having mobile devices,” he said, adding that “buying the devices has to be driven by the business requirement.” The services behind the device, including the MDM, the systems, and the network are specified and supported by the IT organization.
VA businesses will decide how to use such devices and whether that is best done from a BYOD or government purchased machine.
“Our major role where the device is concerned is specifying and enforcing information security for the device and the apps. From there, the type of device is so varied that we view it as a business device, not an IT device,” Baker said.
VA employees can already use their own mobile machines to view data through the department’s access gateways. But to get inside the network to download and store the information with a BYOD device will require policies set by VA IT.
With the MDM in place, VA will verify that the BYOD is not running software that could compromise security. Baker described some of the limitations on BYOD, including that employees will need to:
- Acknowledge if their device has been “jail broken”, and if so they will be denied access to the network
- Acknowledge that because the device may at some point have VA information on it, VA may wipe the device clean if it is determined the information is at risk
- Sign up for rules of behavior when using such devices if they plan to store VA data
- Agree that the device, if it will be used to store data, can be brought under VA controls to verify that there is no VA information on it or look at what was done with that data
The ability to wipe the device clean if there is VA information stored on it that is at risk will be a key issue.
“They may have their iTunes store and the apps they’ve bought on it, so they would be able to reload it, but it will be inconvenient if we have to wipe it to protect VA information,” Baker said.
“There are a variety of things that 95 percent of population will say 'that doesn’t bother me at all,' and 5 percent will say, 'no, you’re not going to do that with my device,'” Baker said, adding that it will be critical that “there is clear communication of expectations between VA and the individual relative to what’s going to happen.”