The number of connected devices at Intermountain Healthcare has grown exponentially in recent years.
The Salt Lake City-based healthcare system has 10,000 laptops and another 20,000 tablets and smartphones. Then there are numerous other smart devices, such as fetal monitors, oxygen monitors and defibrillators, that store, process and/or transmit data.
Intermountain executives see mobile as an important part of the healthcare system's innovation strategy, recognizing that providers and patients increasingly are demanding access to data wherever they are, said CISO and assistant vice president Karl West.
On the other hand, the institution, with 40,000 employees and another 10,000 to 20,000 associated workers providing services, recognizes the critical need to protect data as it moves through a burgeoning number of devices.
"My team's job is to enable and not to become the barrier. It is a challenge," West said.
IT leaders have long balanced the somewhat competing needs of security and access. Although the policies, procedures and technologies aimed at protecting the mobile enterprise have matured, there is no single solution that satisfies all needs, security experts said. Instead, leading organizations are taking a diversified approach, layering on security measures to ensure that data and devices are available yet secure. Moreover, those leaders are breaking down the silo that had been mobile security and moving to a point that merges enterprise mobility management (EMM) with the broader approach of unified endpoint management (UEM).
This reflects the expanding role that mobility has in the enterprise. Smartphones and tablets are becoming the primary, or even, sole devices used by a growing number of workers. At the same time, the variety of mobile devices used in the enterprise continues to grow. Mobile, in many organizations, is no longer just about smartphones and tablets. Protecting the mobile enterprise today means dealing with augmented reality and virtual reality devices and wearables, from smartwatches to industry-specific technologies (i.e., connected medical monitors used in healthcare and smart glasses used in utilities). At some organizations, protecting the mobile enterprise also include sensors and other internet of things components within the broader definitions of mobile security.
"We've moved beyond the tablet and smartphone to connected devices of all shapes. And beyond it all is the promise of how do we rethink how work gets done and automation. Then it becomes how we have these intelligent assets taking on more sophisticated autonomy and more complex tasks. As we do that, security and privacy come into play," said Bill Briggs, Deloitte's U.S. and global CTO and the inaugural leader of the firm's digital practice. "We used to have data at rest and in use, and the question was how do we protect them in each space. Now it's how do we protect those, as well as data in transit."
Mobile complexity calls for layered approach
The risks associated with mobile devices are significant, analysts said. Forrester Research reports that many employees use mobile devices to access sensitive content, including customer information, nonpublic financial data, intellectual property and corporate strategy materials.
More telling, perhaps, is the percentage of security breaches related to mobile devices, as calculated by Forrester's Global Business Technographics Security Survey, 2016. In a survey of 192 network security decision-makers whose ﬁrms experienced an external security breach during the prior year, 24% indicated that the breach involved a mobile device. However, 40% indicated that the breach involved an employee-owned device -- which in the era of bring your own device (BYOD) mobile devices suggests that a significant amount of those involved a smartphone or tablet.
Karl WestCISO and assistant vice president, Intermountain Healthcare
Intermountain, in many ways, mirrors the mobile-related security issues facing many organizations. The organization has a mix of devices that are both corporate-owned and BYOD, West said. It also handles a diverse amount of data, much of which is governed by various regulations.
West said he takes a multipronged approach to mobile security, starting with the establishment of common controls. "We're looking at the highest levels to establish common controls to apply based on the type of data and the data classification and then the device," he said.
West has standard security measures that are enforced throughout the organization. He uses mobile device management (MDM) software to ensure devices have password protection, time-out functions and encryption. MDM also creates other security checks, including the ability to wipe all Intermountain data off any lost or stolen device. Personal devices used by workers must allow this software, in addition allowing the organization to apply segmentation and containerization technologies to separate Intermountain applications (and, thus, data) from the user's own personal apps and information.
Although those are specific security measures for mobile devices, Intermountain has also extended some security measures beyond its servers and desktops to protect the full range of mobile devices being used in the organization, West said. For example, its whitelist/blacklist practices, where access to known nefarious sites is blocked, applies to mobile devices as much as it does to, say, servers. Intermountain also uses virtual desktop interfaces (VDIs) to keep data in servers, and not on devices.
West has added newer security approaches, such as ID group tagging and network segmentation, as well. These give Intermountain the ability to identify and group users, devices and activities -- such as payment transactions -- inside the network. "That's newer technology for segmenting and protecting networks and keeping people out of regions where data exists and giving them access to only the information they need," he explained.
Emerging mobile security tools: UEM, AI
Intermountain's approach to protecting the mobile enterprise tracks closely with what Forrester has identified as the four technologies that have gained traction: VDI, which it identifies as the most widely deployed technology for secure mobile access; MDM; app-centric mobile security technologies, with nearly one-third of organizations reporting that they either use application wrapping or monolithic application containers; and dual persona or dual device virtualization.
Despite the range of security tools, Chris Marsh, research director of workforce productivity and compliance at 451 Research, said EMM hasn't had any great advances in the past 18 months.
There are, however, emerging security technologies gaining more and more traction, he said. One is certainly the shift from EMM to universal unified endpoint management, or UEM.
"Organizations will look to EMM solutions to [expand in order to] secure and manage the world of devices beyond smartphones and tablets and basic wearables," he said.
He said another area is the use of cognitive analytics and artificial intelligence to detect abnormal use patterns that indicate security risks and then use intelligence to remediate it, whether the risk stems from mobile devices or other pieces in the IT stack.
"Both of those things are pretty nascent," Marsh said, adding that while these and existing technologies don't impact performance, some users might push back thinking either they will or that the technology itself is a privacy threat because they track use and locations.
Protecting the mobile enterprise: Cloud figures large
Wes Wright, CTO at Sutter Health, health system based in Sacramento, Calif., said he's looking at this convergence of technologies as he moves his organization forward with its mobile initiatives.
The Sutter Health IT department serves 63,500 active directory users at 600 physical locations, Wright said. Right now Sutter Health has about 7,000 mobile devices in the mix, mostly organization-owned iPhones, iPads and Samsung tablets but also some BYODs.
Wright said Sutter Health has been slow in mobile adoption because many enterprise application vendors have lagged in mobilizing their offerings.
Wes WrightCTO, Sutter Health
That, though, is changing, he said, making it easier to expand mobile at his organization. Moreover, the growing number of enterprise applications offered as SaaS and PaaS is helping boost security, as well as mobile adoption.
"If I can decrease risk by making sure the application doesn't leave data on the device, that's what I'm going to do," he said, adding that Sutter Health also uses other tools, including MDM software, to create layers of security standards.
Still, he said, mobile security isn't a stand-alone function. Instead, Wright said it's wrapped into a strategy priority list. That approach follows the trend to look broadly at mobile security and where it fits into the enterprise as a whole.
"We want to be virtual, cloud, mobile first. To me, that's the progression we have to take for technology at Sutter Health. Your endgame is to be mobile. I don't mean mobile like mobile devices, I mean mobile in that I can put the data and the application wherever I want," he said.
His credo for protecting the mobile enterprise? Cloud figures large.
"To do that I have to virtualize everything so I can move it around. And I have to put as much as I can in the cloud, because I know I want the data available but I don't want data [being] moved around," he said. So by utilizing the cloud, "I can let people use the data without having people download the data. Then I can make it available to anyone on any device."
No one said that protecting the mobile enterprise would be simple.
Recent SearchCIO articles by Mary Pratt:
Business model for monetizing IoT, a work in progress
The next new thing: Serverless computing
The case for OpenStack in the enterprise