Hi James, Thanks for sharing your insights.
sigh...maybe I'm just getting old, being pragmatic, or selling out -- but my takeaway from this iPad/OR stuff is to patent a single-use iPad sterile wrapping solution and sell the rights to a medical sterile packaging company. Considering the pervasive threat of nasties like MRSA [1] in medical environments, a single-use sterile iPad bag would help mitigate the most likely immediate threat to patient safety: dirty iPads crawling with Staphylococcus Aureus. ugh....i'm almost ashamed of myself ;) Cheers, --scm [1] http://www.cdc.gov/mrsa/ Cheers, --scm On Fri, Jan 21, 2011 at 12:50, James Philput <[email protected]> wrote: > I'm in a similar situation. We're currently rolling out security policies > for tablet devices, and have been getting a lot of push back from the > medical staff. The thing that seems to be working here is a combination of > policy and education. We're allowing personal iPads to be used if the user > agrees to let us install a basic security profile on the device. The > standard profile includes the usual wireless, email and VPN settings that we > give to other remote users, but it also forces stronger passwords and a > shorter idle screen lock. Those settings, coupled with treating all of the > iDevice/tablets as untrusted resources, have gone a long way toward making > the things less of a security risk. > > We've been trying to plan for more consumer devices on the network. It > takes some effort and a bit more flexibility from a policy and procedure > standpoint, but our willingness to work with the non-tech staff on this > seems to have gained us a lot of good will. The users are much more willing > to listen to why we don't want them to do something rather than just trying > to find ways to evade us. > > Regards, > James > > > On Fri, Jan 21, 2011 at 11:25 AM, Shawn Merdinger <[email protected]> > wrote: >> >> Hi Phester, >> >> On Thu, Jan 20, 2011 at 20:50, phester <[email protected]> wrote: >> > Yeah, but it illustrates an universal issue. If users can't do what they >> > want over the network, they'll find a way around it. >> >> Exactly. This is great technology and enables medical pros to do more >> for patients. >> >> But it's also worth mentioning that security people can expect a great >> deal of pushback from medical pros when trying to assign the risk and >> place limitations on these kind of consumer devices in a medical >> environment -- and believe me, they can be a tough group of >> articulate, forceful and powerful people to deal with. As a lowly >> network security monkey, I can vouch that it's no fun to go >> head-to-head with with a MD with a Ph.D who brings in millions in >> grants to the organization and wants to use his fancy iPad or iPhone >> for medical work. >> >> And I would go even further in that the article mentions medical >> schools like Stanford issuing iPads to incoming med students beginning >> 2014. So we can expect a entire new group of medical pros who expect >> support and security with these devices. >> >> What's also interesting and a huge, undefined challenge is the >> blending of these consumer devices into medical devices. With the >> addition of medical image viewing software on the iPad, that device >> has now transitioned from a personal learning/entertainment platform >> to a bona fide medical device, which opens up many more questions in >> terms of organizational policy, data management/retention, and >> regulatory requirements (HIPAA/HITECH, etc.). After all, one can >> jailbreak an iPad by visiting a website, clearly there are risks to >> PHI on a iPad, no? >> >> Further compounding the issue are cloud applications, specifically the >> growing use of personal cloud services like DropBox. There's a great >> deal of uncertainty as to the DropBox use with medical information and >> regulatory requirements. For more than a year on the DropBox forums, >> folks have been going back and forth as to if this application meets >> regulatory requirements. But, as you note, people are going to do >> what they want, and this is reinforced by DropBox making it way into >> "Top 20 Lists" of apps for medical pros [1] >> >> And with medical pros not fully understanding how personal storage >> cloud apps like DropBox actually work insofar as data retention and >> flow, we are facing tremendous challenges. >> >> "When asked about security concerns with the iPad, especially if one >> is left behind inadvertently, Dr. Feldman pointed out that as with >> everything web-based, nothing is stored on the device." [2] >> >> From a vendor perspective, there are huge opportunities in this space >> to provide workable security solutions for these kinds of devices and, >> as Bruce Schneier writes, the "Consumerization and Corporate IT >> Security" [3] Bottom line is that we need these solutions to keep the >> management folks happy with their regulatory compliance goals, and to >> provide more assurance to network security guys like me who are >> sweating bullets and worrying in the trenches as we face irate medical >> pros with serious pull who expect us to not only secure these devices, >> but also take on the liability risks of data loss. >> >> > Said hospitals need to find a way to provide function securely. >> > Solutions >> > are out there. >> >> You mention there are solutions out there. I welcome further >> discussion, either off-list or on-list. >> >> Cheers, >> --scm >> >> >> [1] >> http://www.imedicalapps.com/2010/12/bes-free-iphone-medical-apps-doctors-health-care-professionals/19/ >> [2] >> http://www.imedicalapps.com/2010/12/dropbox-osirix-ipad-radiology-images-operating-room/ >> [3] http://www.schneier.com/blog/archives/2010/09/consumerization.html >> _______________________________________________ >> Fun and Misc security discussion for OT posts. >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >> Note: funsec is a public and open mailing list. > > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
