The National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) have invited comments on their draft cybersecurity guide, Mobile Device Security: Cloud & Hybrid Builds, which aims to help organizations protect data security on employees’ personal and organization-owned mobile devices.
However, as mobile device security is gaining attention in the healthcare sphere, healthcare IT leaders may not find the guide well suited to the industry, suggests Kunal Rupani, principal product manager at Accellion, who first spoke with Healthcare Dive regarding NIST’s July release of "Securing Electronic Health Records on Mobile Devices."
NIST describes its latest guide as a demonstration of how commercially available technologies can be used by companies to help secure sensitive data that is either stored on or accessed on mobile devices.
“While the guide uses a suite of commercial products as part of the example solution, it does not endorse any particular products or guarantee regulatory compliance,” the institute wrote in its announcement last week. “The NCCoE’s example solution may be adopted or be used as a starting point for tailoring and implementing parts of a solution.”
Despite the disclaimer, Rupani sees the demonstration as problematic.
“What I see is that this needed to be a solution and vendor-agnostic document. However, it’s not," he says. He describes it as tied up primarily with four vendors: Microsoft, Symantec, Intel, and Lookout.
“What this has done, is it ties up the solution and reference architecture to this group of vendors, and limits the solution to capabilities just provided by them,” Rupani says. “At the same time it undermines the credibility of the design because of that fact.”
Moreover, he adds, the approach in the demonstration only looks at one solution: EMM (enterprise mobility management) which is a process that installs a profile on a device, and serves to monitor and control it.
This is a problem for a lot of enterprises that have a BYOD culture (bring your own device), such as healthcare, Rupani says, because many employees do not want their own devices monitored for personal security reasons.
“All enterprises are really looking for is a way to secure the enterprise content and not really the device,” he says. “They don’t want to be the big boss on their employee’s personal device. However, the solution in this document is just that. EMM products really monitor the end-user’s device.”
He suggests such a solution suits certain types of industries, but not all—including healthcare. It can work well for organized collaboration between partner organizations, Rupani says, but he argues it does not suit the protection of data sent to individuals outside the organization, such as a doctor sending documents to a patient. The provider can not just tell any end-user to install the selected technology on their device.
"There are other products and other techniques to secure this content," Rupani says. He argues providing a reference guide using only EMM as a solution is a significant issue and likely to attract numerous comments during the comment period.
As for whether healthcare IT leaders can make use of the current NIST draft guide:
"I think this suits only a very small subset of IT leaders who can make use of the existing infrastructure using Microsoft and Symantec and Lookout," Rupani says. "For the others, I think they have to rely on their own research.”
The NCCoE website has the draft guide available for download, as well as the link for submitting comments, which are being taken through Jan. 8, 2016.