Beth Israel Hospital Mobile Security Plan for Access–Bring Your Mobile Computer In and We Will Encrypt It For You Otherwis
Posted Jul 23 2012 6:10pm
This is from Dr. Halamka’s blog at Harvard Medical. You may have read they lost a notebook recently and they had issues before with a 3rd party vendor over security I think about a year ago. You know as a CIO and he’s one of the best out there when you have a second issue such as this one, time to buckle down and encrypt, lay the law down. This applies to all staff and students who will be required to bring their devices in. The first step are those owned by the school or hospital. He has set up a depot where users can bring them in. This is step number one and step number two will involve computers that are employee owned that connect and he will update us as it moves along. This is mandatory so no ifs ands or buts on the new policy.
Good old active sync for Exchange email now requires a password and there will be more updates in the mobile phone area he states. I like the “auto wipe” and that is a good thing for sure. I remember when Microsoft brought that out with remote wiping for the IS folks, a very good thing if a phone is lost or stolen, IT does the remote wipe. Ipads are right in here too as well as his reminder notice not to use a consumer cloud service for back up before bringing the unit in. The following statement is of interest as well, users will have some level of responsibility for maintaining the security of the device, so time for everyone to learn up. Stuff like this though is good as it is information that sometimes is also applicable and good education for maintaining one’s own person computer too.
“Pick Up the Device - Upon returning the device, depot staff will brief you on what work was done and your on-going responsibilities for maintaining the security of the device.”
This is really a good idea though as the laptops will be scanned for any malware at the time and given an good overall check for anything else that may be wrong or need to be updated. As far as connecting the IS folks will be monitoring and if anyone is found online with a device that has not been screened, they will be blocked. Dr. Halamka will also share with us what he has learned about supporting personal device security that connect to networks as well. Good article and I’m sure the time and loss of a unit for a day or a few hours will have a few moans and groans, but they are taking action to secure devices and data with encryption. There’s a link in the usual spot to his entire post at the end of this post. BD
"Information Systems will be conducting an aggressive campaign to ensure every mobile device is encrypted. This initiative applies to all staff and students. The program is mandatory and required for any mobile device used to access BIDMC-related systems, programs or documents, including email, clinical applications and administrative documents such as financial spreadsheets, grant information or staff lists.
The first phase, beginning this week, focuses on institutionally owned laptops and iPad-type tablet computers. Other versions of tablet computers will be addressed in a later phase. Service depots will be set up in and around the main campus. The first location will be the Center for Life Sciences (CLS). This building was chosen because it has the largest population of laptops and iPads.
Prepare Your Device – Prior to dropping off the laptop or iPad at the service depot, delete unneeded applications and data. All valuable data and important files, email, applications and other documents stored on the device should be backed up to your network home directory. Do NOT back up the data to an Internet cloud service such as Apple’s iCloud, or DropBox. Storing protected health or personal information on these sites is against corporate security policy.
From this point forward, newly acquired laptop and tablet computers purchased from institutional funds cannot be used to access the BIDMC data network until their encryption status is verified by Information Systems.