Re: [article] The iPad in the Hospital and Operating Room

[Shawn Merdinger <shawnmer () gmail com>]

Hi Phester,

On Thu, Jan 20, 2011 at 20:50, phester <funsec () armorfirewall com> wrote:
> Yeah, but it illustrates an universal issue. If users can't do what they
> want over the network, they'll find a way around it.

Exactly.  This is great technology and enables medical pros to do more
for patients.

But it's also worth mentioning that security people can expect a great
deal of pushback from medical pros when trying to assign the risk and
place limitations on these kind of consumer devices in a medical
environment -- and believe me, they can be a tough group of
articulate, forceful and powerful people to deal with.  As a lowly
network security monkey, I can vouch that it's no fun to go
head-to-head with with a MD with a Ph.D who brings in millions in
grants to the organization and wants to use his fancy iPad or iPhone
for medical work.

And I would go even further in that the article mentions medical
schools like Stanford issuing iPads to incoming med students beginning
2014.  So we can expect a entire new group of medical pros who expect
support and security with these devices.

What's also interesting and a huge, undefined challenge is the
blending of these consumer devices into medical devices.  With the
addition of medical image viewing software on the iPad, that device
has now transitioned from a personal learning/entertainment platform
to a bona fide medical device, which opens up many more questions in
terms of organizational policy, data management/retention, and
regulatory requirements (HIPAA/HITECH, etc.).  After all, one can
jailbreak an iPad by visiting a website, clearly there are risks to
PHI on a iPad, no?

Further compounding the issue are cloud applications, specifically the
growing use of personal cloud services like DropBox.  There's a great
deal of uncertainty as to the DropBox use with medical information and
regulatory requirements.  For more than a year on the DropBox forums,
folks have been going back and forth as to if this application meets
regulatory requirements.  But, as you note, people are going to do
what they want, and this is reinforced by DropBox making it way into
"Top 20 Lists" of apps for medical pros [1]

And with medical pros not fully understanding how personal storage
cloud apps like DropBox actually work insofar as data retention and
flow, we are facing tremendous challenges.

"When asked about security concerns with the iPad, especially if one
is left behind inadvertently, Dr. Feldman pointed out that as with
everything web-based, nothing is stored on the device." [2]

> From a vendor perspective, there are huge opportunities in this space
to provide workable security solutions for these kinds of devices and,
as Bruce Schneier writes, the "Consumerization and Corporate IT
Security" [3]  Bottom line is that we need these solutions to keep the
management folks happy with their regulatory compliance goals, and to
provide more assurance to network security guys like me who are
sweating bullets and worrying in the trenches as we face irate medical
pros with serious pull who expect us to not only secure these devices,
but also take on the liability risks of data loss.

> Said hospitals need to find a way to provide function securely. Solutions
> are out there.

You mention there are solutions out there.  I welcome further
discussion, either off-list or on-list.

Cheers,
--scm


[1]  http://www.imedicalapps.com/2010/12/bes-free-iphone-medical-apps-doctors-health-care-professionals/19/
[2]  http://www.imedicalapps.com/2010/12/dropbox-osirix-ipad-radiology-images-operating-room/
[3]  http://www.schneier.com/blog/archives/2010/09/consumerization.html
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.