This document summarizes a presentation on enterprise mobility and mobile security. It discusses the goals of enterprise mobility such as increasing productivity and reducing risk. It covers topics like mobile device encryption, access control, mobile device management technologies, and unexpected expenses of data protection. The presentation emphasizes that mobility is about managing data, not just the devices, and discusses privacy and security risks, best practices, and the need for a governance, risk and compliance framework when adopting mobile solutions.

1. It's About the Data, Stupid! Real
World Mobile Security
www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020

2. Speakers
Marie-Michelle Strah, Ph.D., Founder of Phydian Systems
Marie-Michelle Strah, Ph.D., is a healthcare enterprise architect in the Washington D.C.
area specializing in strategy, information architecture, information security and data
architecture for federal and commercial clients. She is the founder of Phydian Systems
LLC and an adjunct professor of Healthcare Information Technology at Catholic
University of America. She brings more than 15 years of experience in enterprise
architecture, healthcare, information technology management, and research and
development internationally.
April Sage, Marketing Director, Online Tech
April Sage has been involved in the IT industry for over two decades, starting in the pre-
Windows era as the founder of an IT school teaching DOS, WordPerfect, and FoxPro. In
the early 2000s, April founded a bioinformatics company that supported biotech,
pharma, and bioinformatic companies in the development of research portals, drug
discovery search engines, and other software systems. Since then, April has been
involved in the development and implementation of online business plans and
marketing strategies across insurance, legal, entertainment, and retail industries until
her current position as Marketing Director of Online Tech.
www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020

3. GOALS OF ENTERPRISE
MOBILITY
• Building productivity
• Reducing risk
• Mobile device encryption
• Access control
• Policy vs. technical controls
• MDM technologies – maturity?
• Unexpected expenses of data protection
Source: http://www.readwriteweb.com/enterprise/2011/03/consumerization-of-it-95-of-in.php
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 3

4. 10/2/2012
Enterprise Mobility and Consumerization of IT
CONCEPTUALIZING “MOBILE HEALTH”
All content (c) 2012 Phydian Systems LLC. All rights reserved. 4

5. 10/2/2012
It’s NOT about the device…
TWEETING ENTERPRISE MOBILITY
All content (c) 2012 Phydian Systems LLC. All rights reserved. 5

6. 10/2/2012
mHealth: Mobile is enabler…
CONCEPTUALIZING “MOBILE HEALTH”
Mobile is enabler…
• Patients
• Providers
• “Wellness lifecycle”
• Productivity
From “there’s an app for that” to
enterprise information management
lifecycle
• Content delivery
• Cloud and thin client
Source: http://healthpopuli.com/2011/02/15/success-factor-for-
mobile-health-mash-up-the-development-team/
All content (c) 2012 Phydian Systems LLC. All rights reserved. 6

7. Mobile Health can both:
• Increase risk
• Reduce risk
• Practice size affects risk profile
Key is:
• Planning
• Business Case Analyses
• Master Data Management
M OBILE H EA LTH : P R IVA C Y A ND S EC UR ITY R IS K S … BEYOND C OM P LIA NCE
54% of 464 HIPAA breaches affecting 500 or more
individuals from 9/2001 to July 2012 involved loss or
theft of unencrypted mobile devices
Sources:
http://www.govinfosecurity.com/interviews/onc-plans-mobile-security-guidance-i-1629
http://pinterest.com/pin/123849058473938431/
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 7

8. • Conceptualizing “mobile health” – business cases for IT infrastructure
management
• GRC – governance, risk and compliance in a CoIT framework
• Best practices for CoIT in healthcare
• Security Risk Analysis
• PTA/PIA
• Stakeholders
• Policy vs. technical controls
• Lessons learned | Considerations for the enterprise
FIRST QUESTION: WHY BYOD?
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 8

9. 10/2/2012
BUSINESS CASE ANALYSIS - BYOD
TCO (Total Cost of Ownership)
Why BYOD? Is it actually cheaper?
Are you simply shifting costs?
• License and account
management (telecom)
• Responsive design:
Testing/QA/Usability
• Enforcement: Policies,
standards, training
• Realigning enterprise
architecture for BYOD mobile
environment
• Scaleability
All content (c) 2012 Phydian Systems LLC. All rights reserved. 9

10. Managing human factors in mobile data
THE IDEAL
management
Employees Contractors Partners
Need to know
Need to manage
InfoSec IT Ops Legal

11. Managing human factors in mobile data
THE REALITY
management
Employees IT Ops Contractors Partners
Manage
Know
InfoSec Legal

12. THE CHALLENGE
Adopting Governance and Risk Based Model to
BYOD
• There is no endpoint
• There is no perimeter
• Users own the data
• NoEmployees
one owns the risk
Contractors Partners
• Security doesn’t have control
• IT Ops own the databases
• IT Ops own the servers
• IT Ops own the apps
InfoSec IT Ops Legal

13. GRC FOR HEALTHCARE
• Governance – organizational and IT
• Risk – management and mitigation
• Compliance – HITECH/Meaningful Use/42 CFR
• BYOx/CoIT *must* be part of overall GRC strategy
• Security Risk Analysis
• PTA/PIA
• Stakeholders – CPGs, workflow, training
• Policy vs. technical controls
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 13

14. 10/2/2012
HIGH LEVEL REFERENCE ARCHITECTURE MOBILE HEALTH
Source: http://www.mobilehealthlive.org/publications/discussion-papers/a-high-level-reference-architecture-for-mobile-health/20460/
All content (c) 2012 Phydian Systems LLC. All rights reserved. 14

15. 10/2/2012
MASTER DATA HUB AND EXAMPLES
Case Studies
So it’s about the
data, and… … the device, but
not “just” about the
device
VA looks to establish BYOD mobile device management protocols
(www.mhimss.org)
• MDM software
• Systems, network, apps supported by VA
• No jailbroken devices
• Wiping personal devices if compromised
• Rules of behavior required if storing VA data
• Personal device can be brought under VA control if needed
All content (c) 2012 Phydian Systems LLC. All rights reserved. 15

16. HEALTHCARE INFORMATION TRANSFORMATION
Master Data Enterprise Then…
EIM
MDM
MDM2
Management Information Master
Management Device
Management
Data-
centric
Device- model
(or
hardware)
Reactive centric
Posture model

17. MINIMUM TECHNICAL REQUIREMENTS
• Policy
• Wireless
Encryption of
Data at Rest
• Data segmentation (on premise, cloud,
metadata)
• Customer support (heterogeneity)
• Infection control
Encryption of • MSIRT
Data in Motion
• Vendor evaluation (the myth of the
“HIPAA Good Housekeeping Seal”)
• Applications: APM and ALM
Two Factor • Infrastructure
Authentication
• Costs
HIPAA Security Rule: Remote Use
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf

18. QUESTIONS?
10/2/2012 All content (c) 2012 Phydian Systems LLC. All rights reserved. 18

19. Upcoming Events Contact Info
 SecureWorld Expo Marie-Michelle Strah
@cyberslate
 Detroit, MI, October 3rd & 4th
http://www.linkedin.com/in/drstrah
mstrah@phydiansystems.com
www.phydiansystems.com
 Midwest HIMSS
 Des Moines, IA, November 11th-13th
April Sage
asage@onlinetech.com
 mHealth Summit www.onlinetech.com
 Washington, DC, December 3rd-5th Main: 734-213-2020
 HIMSS 2013
 New Orleans, March 3rd-7th 2013, Booth # 1369
www.onlinetech.com Copyright 2012 Online Tech. All rights reserved. CONFIDENTIAL 734.213.2020