Mobile Device ManagementAddressing Risk and Expanding Mobile Options with Restrictions to Enhance Security
"We really see a substantial clinical use for the newer mobile devices," he says in an interview with HealthcareInfoSecurity. "And I would expect to see, in the long run, a phase out of desktop computers and a phase in of mobile devices."
Until the VA began rolling out Apple devices Oct. 1, the only mobile devices staff could use to access internal networks and information were BlackBerries and laptops. But now, because of overwhelming demand to use iPads and iPhones, the VA has decided to develop security policies that accommodate a more open and diverse usage policy.
The mobile phenomenon raises serious questions about security, convenience, productivity and expense. Tom Wills, a senior analyst of risk, security and fraud for Javelin Strategy & Research, says there are no simple answers. The mobile market is diverging, with some organizations leaning toward increased use of personal devices, while others are going the opposite direction.
"You're going to see both scenarios, but your more security-conscious organizations, such as banks and government agencies, are going to tend toward requiring a separate, locked-down device," Wills says.
Security DetailsIn the interview, Baker says:
- The security measures for the Apple devices include encryption that meets the Federal Information Processing Standard 140-2 standard, and the use of two passwords, one for the device and one for the application. Plus, the VA will have the ability to remotely wipe all information from devices if any security concerns arise.
- About 1,500 VA-owned Apple devices will be implemented in the initial phase of the rollout, with personally owned iPads and iPhones accommodated starting early next year.
- The security issues involved in allowing personally owned devices are legal, rather than technical. "We're establishing what it is we need to have the user sign, relative to their personally-owned device, that will ensure, for example, that I have the right to wipe any VA information off of it at my discretion.....and ensure that I have right to access the device to review it as needed."
- Initially, VA staff members will be able to use personally owned Apple mobile devices for limited purposes, such as to view, and not store, clinical records, or to transmit encrypted e-mail.
- Eventually, the VA likely will accommodate other types of mobile devices, including those using the Android operating system. The expansion of devices will depend on user demand as well as confirmation of adequate security measures.
- The VA will offer an "apps store" to provide VA-approved medical applications for iPads and iPhones. "Our apps will have evidence-based medicine behind them."
Baker also acknowledges that about one-third of the VA's BlackBerry devices were affected by the recent international outage. "They are important to us from a mobility standpoint, but we also had cell phones, laptops and other things to utilize," he says. "So I would not call it a huge outage for us.
Nevertheless, he says, the outage is a good example of why the VA needs to enable staff members to use a wider variety of mobile devices. "As we diversify our access methods, we will see less and less impact from outages along these lines," he says.
Baker was confirmed by the Senate as the assistant secretary for information and technology for the Department of Veterans Affairs on May 18, 2009. As assistant secretary, Baker serves as the CIO for the department, directly managing an organization of more than 7,500 information technology professionals and a budget of more than $3.3 billion. Among his previous positions, Baker served as CIO of the Department of Commerce from 1998 to 2001.