Windows 8: Welcome Relief for BYOD-Induced CIO Insomnia

23 January 2013 | Dr. Dennis Schmuland, Chief health strategy officer, U.S. Health and Life Sciences, Microsoft

​Tablets and smartphones are slipping in through the front doors of healthcare organizations at a pace that could overpower even the most agile and seasoned IT departments. Non-employed physicians, contractors, and employees are bringing their tablets and smartphones into healthcare enterprises en masse and expecting IT departments to grant device access to the corporate apps and electronic protected health information (ePHI) they need to do their jobs.

This "bring your own device" (BYOD) trend is clearly here to stay and it appears that many CIOs may not even be aware of the prevalence of the trend inside their corporate walls. That's because as many as 69% of nurses are already using their personal smartphones at work despite 95% of the same nurses stating their hospital IT departments didn't support personal smartphone use for fear of security and compliance risks, according to a recent survey by Spyglass Consulting Group, "Healthcare Without Bounds: Point of Care Computing for Nursing 2012."
In a new twist, the same CIOs who used to determine what's best for the company now seem to have little choice but to embrace this unstoppable trend. In fact, according to the 2012 Ponemon Institute Benchmark Study on Patient Privacy and Data Security, 81 percent of healthcare providers now allow employees to use their own mobile devices to connect to the hospital network and more than half of employees are now participating in their hospital's “bring your own device” (BYOD) program. Indeed, most CIOs see the benefits of enabling people to work wherever they want using the devices they're most familiar with because it can unleash people's productivity, passion, innovation, and even give them a competitive advantage.
The opportunities and grief that this BYOD trend is creating for health & life science CIOs are depicted in this entertaining BYOD video. If you're a CIO reading this, I guarantee that you’ll smile and your head will both nod and shake.
But what's keeping CIOs awake at night aren't the productivity and benefits of BYOD, but rather the hidden costs and risks of supporting BYOD environments, many of which don't rear their ugly heads until it's too late. As more and more consumer devices enter the front door of the workplace, IT needs to not only deliver access to corporate resources for each user across a vast array of devices, but provide this access without compromising organizational requirements for compliance and cost.
BYOD Security Breach: A “When, Not If” Event or Vice Versa?
But here's what worries me the most about the 2012 Ponemon Institute study and the 81% of hospitals that have opened up their applications and ePHI to the BYOD tablets and smartphones of physicians and employees: Only 40% of them have confidence that they are able to prevent or quickly detect all patient data loss or theft.
And 40% is likely a gross overstatement if you consider the percentage of hospitals that have experienced a data breach in the past two years. According to the 2012 Ponemon Institute study, for most healthcare organizations, experiencing a data breach is no longer a matter of if, but, rather, when. The study revealed that 94 percent of hospitals experienced a data breach in the past two years involving with medical files, billing or insurance records.
What this really means is that few hospitals have implemented the minimum necessary privacy and security safeguards needed to adequately manage the risk of a security breach associated with BYOD tablets, smartphones, and USB drives running loose inside and outside their corporate walls.
Unfortunately, a recent survey by KLAS entitled, "2012 Mobile Applications: Can Enterprise Vendors Keep Up?" revealed just how underprepared hospitals are to prevent future security breaches as a result of their BYOD policy. When asked about the types of security methods they use to protect patient data on mobile devices:
  • 52% secure the data -- by using virtualization software to prevent data from being stored directly on a mobile device;
  • 43% secure the devices-- by using encryption software to encrypt ePHI on the device; and
  • 35% proactively monitor and manage the devices--by using mobile device management software installed on each device.
A Simple 3-Prong Security Strategy to Manage BYOD Breach Risk.
With data breaches clearly on the rise and the brand damage and cost of a security breach now averaging $2.4 million per breach, nearly every CIO I talk to is recognizing that they now need to deploy all three of the security methods listed above to make a security breach an “If, Not When” event. Most BYOD employees now admit that they download software not supported by the company and use non-supported websites they believe they need to do their jobs. And because the hospital is liable under HIPAA to enforce their on-premise privacy and security policies on BYOD devices, many are now incurring unplanned costs related to inspecting and installing security software on those devices to track them and remotely wipe them in the event of a security breach.
For example, after a BYOD laptop containing ePHI was stolen last summer from a physician's office, exposing medical summaries of 3,900 patients, Beth Israel Deaconess Medical Center (BIDMC) moved to a 3-prong strategy by adding encryption, anti-malware protection, and proactive mobile device management to its existing single-prong virtualization security strategy. This decision to proactively secure and manage devices, above and beyond their virtualization strategy is consistent with the conclusion that many CIOs have reached: BYOD policies that do not include all three security methods do not match today's BYOD business realities and leave healthcare organizations vulnerable to security breaches that are largely preventable.
Fortunately for healthcare organizations and their CIOs, Windows 8 was designed to give users a productive mobile experience, with touch friendly input and business-focused apps, and it was designed to do so in a CIO friendly way, compliant with enterprise standards. It’s not easy keeping both clinical users and compliance officials happy, but Windows 8 backed in tandem with the Microsoft infrastructure behind it, can achieve that goal. The great news is most health organizations already have some or most of the supporting infrastructure required to easily deploy the 3-prong security strategy to realize the benefits of BYOD and manage the growing risk of a BYOD security breach: secure the data, secure the devices, and manage the devices.
1.Secure the data. While running apps in a virtualized state keeps protected data from being stored locally on the device, the user experience for virtual applications is second class compared to installed applications designed to run natively on the device. Resolution is often low, speed is slower, functionality is limited, and pop-up keyboards can pose safety risks when they obscure contextual data that users should be aware of when entering data or orders. Windows 8 improves the virtualized experience for users by offering high resolution video, 3D graphics, multimedia, and local USB support, including voice within virtualized sessions. Additionally, Windows 8 devices with articulated keyboards can avoid the safety risks of pop-up keyboards while still allowing users to have the touch experience.
Microsoft RemoteApp, powered by Remote Desktop Services (RDS) in Windows Server, makes this possible. With RemoteApp, IT can deliver server hosted applications seamlessly side-by-side with local apps; this way IT can secure corporate data and manage apps centrally for users who are always connected and some who require business compliance. It allows IT to deliver applications running on a Remote Desktop Session Host side-by-side with local applications seamlessly.
Microsoft has also recently introduced three new technologies that will help CIOs manage the BYOD phenomenon: Dynamic Access Control, Windows To Go, and Exchange Data Loss Prevention (DLP). New in Windows Server 2012 is Dynamic Access Control which allows IT departments to classify and centrally protect and audit access to ePHI with finer granularity based on policy-based roles, devices, locations, content, and more. An overview demo of how Dynamic Access Control works can be found here and a free Dynamic Access Control toolkit is available to make it easy for any organization to identify, classify, and protect data on their file servers and set up a policy enforced by Dynamic Access Control to protect critical information and ePHI on the file servers. A whitepaper overview of Windows Server 2012 can be found here.
With Dynamic Access Control in Windows 8, healthcare enterprises can control access to resources with greater granularity using dynamic rules that consider multiple user attributes (department, title, etc.) to make access control decisions. These rules can also define polices that might require that the user’s PC is encrypted with BitLocker or that the user uses a second form of authentication to connect to ePHI.
Windows To Go is a new and innovative feature that CIOs will welcome with open arms because it enables them to reap the benefits of BYOD—productivity, innovation, and better device care—without incurring the usual malware, privacy, security, and safety risks of allowing employees to bring their own devices into the workplace.
Like carrying your desktop on a USB stick wherever you go, Windows To Go enables Windows 8 Enterprise users to boot a full version of Windows from certified external, encrypted USB drive on almost any compatible host PC. Windows To Go takes advantage of all the hardware on the computer as well as attached peripherals like the keyboard, mouse and monitor but never accesses the hard drive because it's hidden and inaccessible by default. Based on this even if the users device is infected with malware it’s harder to tamper with the Windows To Go operating system or data on the Windows To Go device. Windows To Go allows users to experience a fully functional Windows 8 workspace that includes all the files, folders, and apps the user needs to be instantly productive without touching or leaving data behind on the device. When using Windows To Go, no data is stored locally on the BYOD device.
With Windows To Go, CIOs can take advantage of the security of BitLocker, management, and productivity benefits of Windows 8 on unmanaged, personally owned BYOD devices like personally owned laptops, home computers, or tablets without needing to install or update software on the device. A datasheet written by the NSA (National Security Agency) on Windows To Go scenarios and guidance on how to implement Windows To Go can be found here: NSA Windows to Go Factsheet.
While viruses and targeted attacks can cause data breaches, for many organizations, user "send button" e-mail errors are actually a much greater source of data breaches. New in Exchange 2013 is Exchange Data Loss Prevention that identifies, monitors, and protects sensitive data—and helps users understand and manage data risk before they hit the “send button.” For example, DLP proactively identifies sensitive information such as health identifiers, social security or ePHI markers and alerts users when they are about to send it via email. DLP features scan both email messages and attachments to warn users in the form of “PolicyTips,” preventing data breaches while educating users.
2.Secure the devices. To give users the richer experience that device-optimized apps offer and avoid the functional limitations, obscured display safety risks, and productivity costs of running virtualized apps, many organizations like BIDMC are now adding another layer of defense beyond securing the data by implementing policies and infrastructure to secure the devices and assuming the costs of encrypting hard drives and installing up to date anti-malware on every personal device that accesses electronic protected health information (ePHI).
BitLocker encryption in Windows 8 helps CIOs sleep better at night because BitLocker can not only encrypt all data at rest, but it can also force encryption of USB sticks and external drives making it virtually impossible for thieves to access ePHI in the event a tablet, laptop, hard drive, or USB drive is lost or stolen. And Microsoft BitLocker Administration and Monitoring reduces the cost, time, and complexity of provisioning, monitoring, and recovering encryption keys as well as reporting and enforcing compliance of fixed and removable drives. Since a majority of the PHI breaches reported on the website today are due to theft of a laptop or desktop computer with an unencrypted hard drive, nearly every one of those breaches could have been prevented if the organization had turned BitLocker encryption on.
Secured Windows 8 devices offer the additional advantage of running any of the thousands of apps now in the Windows Store on which health professionals can swipe, tap, zoom, click, type, write or speak, depending on the input modality they prefer. And since most clinical and productivity apps do not run natively on non-Windows tablets, a secured Windows 8 tablet enables health professionals to run all the apps they need on that device, avoiding the hassle and productivity cost of switching between a non-Windows tablet and a PC laptop or workstation. They’re no longer forced to choose between the convenience of a personal tablet and the productivity and security of a business ready tablet.
But securing the device also requires controlling the apps that run on the device. AppLocker in Windows 7 and Windows 8 helps prevent unapproved or potentially harmful apps by allowing IT administrators to specify exactly the apps that are allowed to run on employees’ PCs. Health enterprises can use Group policy to whitelist or blacklist apps through AppLocker. Health enterprises can also keep prevent users from unauthorized downloads by setting up their own private Windows 8 app store and allow access only to those who need them and who have the authorized access, usernames, passwords, or even a special two-factor authentication method.
Windows 8 also offers end-to-end boot protection with Trusted Boot, which ensures that anti-malware is loaded before any third party drivers and applications so that malware can’t impersonate itself as software and load before the Early Load Anti-Malware (ELAM).
3. Manage the devices. For CIOs, the unstoppable deluge of devices now coming through the workplace doors is making the cost and complexity of managing those devices prohibitive at a most inopportune time when operating budgets and margins are shrinking. To improve visibility and policy enforcement, increase administrative efficiency, and reduce costs of managing an expanding population of diverse devices, CIOs must unify management, security, and compliance in a single infrastructure.
Fortunately, for enterprises already using Active Directory in Windows Server 2012 and System Center 2012 Configuration Manager (SCCM) as core components of their device security and management strategy, adding Windows 8 devices--whether owned or BYOD—are easy additions. And with the new integration between SCCM and Microsoft’s cloud-based device security and management service, Windows Intune, healthcare CIOs now have a unified infrastructure that gives them a single pane of glass to secure and manage physical, virtual, and mobile clients, including, Windows 8, Windows RT, Windows Phone 8 and other platforms.
Toward A People Centric BYOD Strategy: Manage the Experience to Drive Productivity
The first step toward fully realizing the productivity and economic benefits of BYOD is a single, unifying infrastructure that addresses data access, device security, management, and compliance to improve visibility, increase administrative efficiency, and reduce costs. At Microsoft, however, we believe that there's an essential second step that's often overshadowed by a singular focus on security and compliance. The second step is moving from defense to offense by shifting the primary focus from security and compliance to the user experience. When the focus of IT is primarily on securing data or devices, the user experience suffers because this approach typically forces users to swivel between a hodgepodge of interfaces and apps as they move between their tablet, laptop, phone, workstations, and wall displays.
When health organizations think much bigger about BYOD than merely controlling data and devices to prevent a security breach or satisfy regulatory compliance rules, and, instead, focus primarily on delivering the personalized user experiences that each worker needs to be productive and work together as teams to do their jobs, regardless of where their location and what device they are using, they're more likely to realize the productivity and economic benefits of BYOD. At Microsoft, we refer to this as “Empowering People-centric IT”.
A people-centric IT strategy will give health organizations the flexibility they need to support the broader range of workstyles needed to enable people to work where they want, on the device of their choice, both online and offline, including but not limited to personally-owned devices.The combination of Windows 8, System Center 2012 Configuration Manager and Windows Intune provides CIOs with the people-centric IT and unified management infrastructure they need to virtualize the user experience not just desktops, apps, or machines. This tightly integrated combination will enable IT to deliver a stable, secure and consistent portfolio of personalized experiences across devices and reduce the costs and complexities of securing and managing a diverse and growing universe of personal BYOD devices.
That should help every health CIO sleep better at night.
Additional Microsoft BYOD Resources:
How Microsoft IT approaches the Consumerization of IT trend as a strategy to provide the best hardware, software, and technology available to boost employee satisfaction and productivity: Microsoft IT Showcase: Consumerization of IT
How Windows 8 enables IT to support and manage a broader range of flexible workstyles

Dr. Dennis Schmuland
Chief health strategy officer, U.S. Health and Life Sciences, Microsoft