Mobile Healthcare = Better Healthcare: Medical Mobility Executive Panel Recap

Posted on 19 Oct 2012 in Android, Apple, ArmorText applications, BYOD, Enterprise, FIPS, Healthcare, HIPAA, NIST, Security 1 Comment

Gryphn ArmorText encrypted text messaging for healthcare
 The Medical Mobility Executive Panel this week brought together the FDA, NCI, VHA, HHS and GSA. The discussions and presentations focused on problems faced and opportunities to improve in modern healthcare in a rapidly digitizing world.

Better healthcare – Mobile healthcare methods increase the speed of healthcare delivery and interactions between patient and healthcare provider which directly affects patient health (if this particular aspect interests you, as it does us, check back next week for details)

Better health – More efficient and accurate care

Reduced costs – Efficiencies never dreamed of with paper

Dr. Abdul Shaikh, Program Director, National Cancer Institute Behavioral Research Program

“Healthcare teams have no time – apps need to integrate w/ workflow, meet data standards and satisfy usability preferences.”

 

Mike Coene, Chief Technology Officer, FDA

“Our users want Android, Apple devices (& maybe Windows 8) – we need apps that keep data secure.”

“All apps must keep data secure and have offline capabilities. All apps require PIV and FIPS compliance.”

 

The FDA uses a variety of digital devices in the field as well as proprietary programs containing trade secret data. In managing these programs on user’s device-of-choice (often the iPad), the path toward FIPS compliance has not yet been charted. The FDA expresses hope that consumers will prefer the new Windows 8 phone as compliance with Windows devices is familiar territory, but, for the moment, consumers want Apple and Android devices. Currently the FDA uses phones that are extremely locked down. They cannot be used outside of work, download general apps and cannot take pictures except with an app-specific camera. There is some discussion as to whether an MDM (as was chosen for a contract by Veterans Affairs) or an MAM solution would be a better fit for to manage security in less hamstrung mobile devices in the future. All apps must keep data secure and have offline capabilities. All apps require PIV and FIPS encryption.
Update 10/24 - Agencies looking to adopt the new iPad mini will have security problems as iOS doesn’t yet have the cryptographic validation of the National Institute of Standards and Technology (NIST).

 

Kathy Frisbee, VHA Office of Informatics & Analytics Director of Web and Mobile Solutions

“Develop everything…so it works on all platforms.”

“Fail fast and fail small. There is a tsunami of patient data coming.”

“More than 1 BILLION has already been invested this year in mobile health”

The VHA recommends short pilots to solve current and upcoming problems with mobile security of patient data. They have focused on building a custom environment for cloud development of apps and a custom sandbox of data on the mobile device. Apps that meet the common information model are published to their app store and downloadable to a “Launchpad”. This container app allows for a single sign on to access a multiplicity of other apps and allows carryover of data between them. The patient data accessed in one app persists through the next app without having to search for the patient once again. None of these data sets persist on the device itself unless they meet FIPS encryption certification standards. These apps need to be designed around current, discrete workflows, focusing on usability; facilitating communication rather than adding additional steps to complete tasks. Currently the VHA works with an MDM called Airwatch.


Damon Davis, Special Assistant in the Office of the National Coordinator for Health IT, HHS

“Secure… and efficient delivery of appropriate care through electronic means =  better healthcare.”

Mobile health tools enable actions – when you know your hemoglobin is high or know that your bank account is low – this knowledge enables appropriate behavior. There needs to be an attitude change on the provider side. Providing a patient with their data means the patient will be more engaged, that they are listening, not that they are leaving. Currently providers are not interested in sharing data with patients because of HIPAA – fear of a $1.5 million dollar fine and a listing on the Wall of Shame often means that no pertinent data is transfered to the patient. However, unknown to most, patients have a legal right to their data. In the future the HHS hopes to see data exchanged in both directions, creating feedback loops by patients reporting allergies, preferences and successes. Data not only needs to be successfully pulled out but also needs to be invited back into the system.

 

Through the Blue Button, you may have access to your claims or personal health information that is maintained by your doctors, hospitals, health plans, and others.

 

Secure messaging with Gryphn’s app:

“Go from unsure to secure in 60 seconds or less — with the ‘year’s most innovative startup for national security

Follow @GryphnCo on Twitter & Like Us on Facebook

 

ArmorText: Encrypted Text Messaging for SWAT

Posted on 24 Sep 2012 in Android, ArmorText, ArmorText applications, FIPS, Mobile Development, Press 0 Comments

ArmorText: Encrypted Text Messaging for SWAT
Download today on Google Play.

 

http://storify.com/GryphnCo/armortext-protects-swat-teams

Harmonizing Industry Standards: Mobile Strategy DoD HIPAA FINRA FIPS

Posted on 17 Jul 2012 in Android, Apple, ArmorText, FINRA, FIPS, Healthcare, HIPAA 0 Comments

Harmonizing Industry Standards: Mobile Strategy DoD HIPAA FINRA FIPS Gryphn ArmorText secure text messaging app

Harmonizing Industry Standards: Mobile Strategy DoD HIPAA FINRA FIPS

Last week we mused over the DoD’s publication on Mobile Device Strategy (DoD MDS) and what issues they might encounter. Over the week the similarities between the specifications of this document and the regulatory requirements levied on the financial, federal and healthcare sectors became clear.

DoD MDS echoes the Federal Information Processing Standards (FIPS), the regulations governing the healthcare industry (HIPAA) and the financial industry (FINRA), particularly in regards to on-device security structures and third party control of the device. The “remote monitoring” of FINRA becomes “remote scanning” at the DoD[1]. The “role based authentication” of FIPS 140-2 becomes “user type verification” for the DoD[2]. The DoD MDS doc also references healthcare applications specifically, “(in) healthcare, providers could diagnose injuries and remotely access lab results while away from hospital premises.” More variety and efficiency in app development is made possible by homogenous regulations. Clear guidelines and targets are required. Cross-industry regulations and subsequent security solutions are possible; they need to be defined.

Harmonizing Industry Standards: Mobile Strategy DoD HIPAA FINRA FIPS: A Snapshot

A snapshot of the DoD’s new mobile device strategy requirements reveals a significant overlap with the other industries struggling to manage and track valuable data through mobile messaging.

Perhaps it’s time for a single standard governing “secure and auditable” communication that is a foundation for all of these regulations, a single framework. Perhaps one that provides tiers of security requirements (along with technical implementation guidelines) for access to different types of data for both identity and role based authentication techniques.

Mobile device strategy solutions can come from a variety of places at once the requirements are clear. Harmonized standards enables developers to work more coherently, advancing technology more rapidly and more securely. Developers would not need to limit themselves to fulfilling the specifications of one industry and multi-use, multi-platform apps could be widely tested for bugs and issues.

Secure messaging with Gryphn’s app:

“Go from unsure to secure in 60 seconds or less — with the ‘year’s most innovative startup for national security

Follow @GryphnCo on Twitter & Like Us on Facebook

Mobile Device Solution for the Department of Defense

Posted on 9 Jul 2012 in Enterprise, FINRA, FIPS, HIPAA, Mobile Development, News 0 Comments

Mobile Device Solution for the Department of Defense

On June 8th the DoD released their preliminary discussion of the complexities of mobile communications. It emphasizes the value of instantaneous secure transfers between critical individuals and secure information exchange, pushing for the adoption of secure mobile use techniques. The DoD’s standard often becomes a reference point for other industries. While a more comprehensive Mobile Device plan is in the works, we content ourselves with a discussion of these preliminary statements. Industries utilizing mobile devices in the private sector have lacked the regulatory consistency needed to drive mass adoption of new behavior.

The DoD is not the first institution to grapple with the difficulties of the ‘bring you own device’ (BYOD) to work culture. Many companies provide their employees work-specific devices in order to maintain compliance with industry specific regulations only to have those same employees avert security policies by using their personal device because it is easier and consolidated. The financial industry requires a paper trail for mobile interactions, yet requiring their employees to use e-mail or recorded phone conversations disrupts how they want to do busienss. Doctors, in the interest of efficient communication, will text un-encrypted information; unaware such behavior is considered a violation of healthcare information regulations despite the fact they may be saving lives. Industries have to be mindful of the friction between regulatory compliance and the function the device is designed to provide.

Mobile Device Solution for the Department of Defense: Two Requirements

Two requirements are made of the mobile device: first that it that it perform a much needed function (which it undoubtedly does) and, second, that it does so securely. Currently, mirroring their private sector counterparts, “unconstrained piloting” of devices and apps takes place by an increasing number of DoD employees, with uncoordinated successes and failures in both communication and security. Failures in security and function are numerous and generally untracked, differing greatly from carrier to carrier, phone to phone and app to app, an issue which the DoD succinctly sums as “(a) lack of security and interoperability across products.”

The Mobile Device Strategy document outlines critical issues that will need to be overcome in the implementation of a department-wide solution. Similar to what many enterprises have realized, the DoD understands that Mobile Lifecycle Management (MLM) and Mobile Device Management (MDM) alone are not enough. While both solutions, provided by players such as Boxtone, Maas360, Good, Emptoris and Mobile Iron are necessary components of an overall security strategy and architecture, attention has to be given to apps and desired functionality of devices.

So far DoD is focused on high level descriptions of the areas that need to be addressed: wireless infrastructuremobile applications and the mobile device itself, with a view of physical as well as data security.

  1. Wireless Infrastructure: The DoD has had a near 50% reduction in their allocated spectrum since the early 1990′s, requiring a more effective and efficient use of the remaining spectrum[1]. They are interested in partnering with Universities to research and develop solutions to these issues.
  2. Mobile Device: “Although the use of commercial mobile devices is more cost-effective than developing customized devices, most do not come equipped out-of-the-box with the security controls, access protocols, and necessary security features required by DoD.” The concern continues with the lack of product control and the proliferation of mobile devices that all pose different security threats and require different security architectures.
  3. Mobile Applications: “The chief appeal of DoD mobile apps is low-cost, often faster development and delivery of simple but useful function. The DoD must streamline the approval processes for commercial mobile devices to enable timely deployment and use of this constantly evolving technology.” The document expands on the mobile app solution, suggesting a “mobile application certification process”.

While the implementation plan is yet to come, it’s time to start asking a few questions. Will application solutions be single or multi-platform? Multi-platform device solutions, while convenient if properly executed, greatly multiply the complexities. Apple’s iOS has a particularly long app approval process. But the Android operating system updates follow a circuitous route through device manufacturers, carriers, then finally to the devices. Will these processes be fast enough to satisfy the security and time-sensitivity requirements for institutions such as the DoD? What about for other industries like healthcare, financial services, law enforcement, and others? As mentioned previously a balance must be struck between mitigating security risks and providing the end user with a functional phone: users trend toward maximizing the utility of the device, at the cost of compliance.

Mobile Device Solution for the Department of Defense: Simple, Native and Great UI/UX

Solutions must be simple; app interfaces need to be as “native” as possible in look and feel, provide a comfortable user experience, while still providing consistent functionality across platforms; and before apps are made that provide redundant functions, options to provide both work and play appropriate capabilities in one app must be explored. The app update process must also be regulated in an efficient manner, avoiding the delays caused in the commercial realm by carrier’s review process of mobile operating system updates[2]. Given how similarly this document reads to some of the compliance documents, there probably needs to be a common regulatory framework.

By the way if you are a patriotic mobile security startup, an individual champion of secure mobility, or an industry expert we’d love to connect. Reach out, we should be talking and supporting each other.

 

Secure messaging with Gryphn’s app:

“Go from unsure to secure in 60 seconds or less — with the ‘year’s most innovative startup for national security

Follow @GryphnCo on Twitter & Like Us on Facebook