Presentation is loading. Please wait.

Presentation is loading. Please wait.

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

Published byDrake Griffin Modified over 9 years ago

Similar presentations

Presentation on theme: "6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,"— Presentation transcript:

1 6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto, Ontario

2 Faculty/Presenter Disclosure Faculty: Aaron Hendriks Relationships with commercial interests: –Not Applicable

3 Disclosure of Commercial Support No commercial support

4 Agenda Objective Requirements Testing Results Conclusions Alternatives

5 Objective Mobile devices are becoming a common tool for providing patient care. –Interacting with patients –Inputs for information –Patient chart reference –Video conferencing How do we protect patient data on highly portable devices designed for open personal communications?

6 Requirements By Law or Provincial Order –PHIPA –All portable media must be encrypted –All systems that host PHI must have access controls

7 Requirements Mandated by UHN –Passwords should be 6-8 characters and complex –Systems should prevent reuse of passwords –We should be able to audit compliance controls Compliance should be automated –System wipe, both remote and after failed logins –We should be able to locate devices –Device backups should be password protected and encrypted

8 Testing Devices To ensure that devices can secure data according to UHN’s mobile device requirements we had to test the most common devices asked for or used by UHN staff. All devices were tested in Bring Your Own (BYO) configurations. –We chose: Apple iPad 2/3 and iPhone 4/5 Android phones –Galaxy S3 and Galaxy Nexus Android tablet –Galaxy Tab

9 Methods Configuration: All devices were given the most secure configuration possible. –The android devices were configured with complex passcodes and fully encrypted. –The iOS devices were given complex passcodes. Test devices for data access –From locked state we used hacking tools to attempt access to information with stock and jail broken devices.

10 Examples of Test Scenarios Try to get into device with brute force password attack Try to jailbreak device without device password and then get to data Try to access information on a jail- broken/rooted device Access data from computer, that has accessed the device previously in an unlocked state, when the device is locked.

11 Results Android The Android devices are incredibly hard to access any data on the device. –Full encryption Unfortunately the add on storage cards are usually not encrypted. The biggest issue with Android is its applications –Apps may be sending or accessing information without the users knowledge. –Apps from outside the Google market can be installed Rooting can be hard to detect and will thwart all security Backups are not protected by default Android OS wrapper can be an issue

12 Results iOS iOS by default only encrypts the OS, email and apps that are set to secure the data. –All other areas of an iOS device are not encrypted Controlling applications the user installs is difficult –Cannot prevent install or remove prohibited apps Cannot prevent Cloud backups Access to a PC that has had the unlocked unit plugged in –This will thwart all security on the device. Jail-breaking a device removes all security

13 Conclusions What: –Secure passwords required –Encryption –Ensure Devices are not jail-broken or rooted –Dangerous/unsecure applications are removed or limited

14 Controls How: –MDM (Mobile Device Management) –Policies/ controls Data wipe acceptance Limitations on actions (apps, who can use, cloud sync) –Training –Application development standards –Do not allow BYO? –Do not allow sharing of devices?

15 Alternatives Use presentation models for all access to systems –Remote Desktop solutions –Application delivery –Web based applications

16 Contact information Aaron Hendriks aaron.hendriks@uhn.ca

Download ppt "6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,"

Similar presentations

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
Security for Mobile Devices

Security for Mobile Devices
November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.

November 14, 2012 Securely Manage your devices, applications and data. Deploy your corporate policies on smart devices. Comply with Regulatory Laws. Detroit.
Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.

Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HELP US HELP YOU: MAKING YOUR MOBILE DEVICE WORK FOR YOU IT Pro Name Company Name Date Note: Consider having one of your execs present this with you to.

HELP US HELP YOU: MAKING YOUR MOBILE DEVICE WORK FOR YOU IT Pro Name Company Name Date Note: Consider having one of your execs present this with you to.
Identify risks with mobile devices: Portable data storage Wireless connections 3 rd party applications Data integrity Data availability 2.

Identify risks with mobile devices: Portable data storage Wireless connections 3 rd party applications Data integrity Data availability 2.
Mobile Protection Overview

Mobile Protection Overview
MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.

MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.
Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.

Sophos Mobile Control SophSkills Session Name: Thomas Lippert – Product Management DPG Date: 17-Feb-2011.
Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.

Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.
Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.

Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.
Medical University of South Carolina Office of the CIO – Information Services Endpoint Security Team Mobile Device Management March 8, 2012.

Medical University of South Carolina Office of the CIO – Information Services Endpoint Security Team Mobile Device Management March 8, 2012.
IPads Everywhere! Management Considerations for the Enterprise Bill Morrison Director of Technology, Rapides Parish School District

IPads Everywhere! Management Considerations for the Enterprise Bill Morrison Director of Technology, Rapides Parish School District
Desktop Central Managing Desktops, Servers & Devices Romanus Prabhu R Technical Account Manager LinkedIn : romanus.prabhu.

Desktop Central Managing Desktops, Servers & Devices Romanus Prabhu R Technical Account Manager LinkedIn : romanus.prabhu.
Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.

Sophos Mobile Control. Tablets on the rise 2 Trends 3 75% of 157 polled companies encourage employee owned smart phones and tablets to access corporate.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Steps to Compliance: Bring Your Own Device PRESENTED BY.

Steps to Compliance: Bring Your Own Device PRESENTED BY.
Vivek-Vijayan University of Tennessee at Chattanooga.

Vivek-Vijayan University of Tennessee at Chattanooga.
Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.

Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.

Similar presentations

Ads by Google