Transcript using_mobile_devices_campanaletreppx

The Draw of the Telehealth Tablet
Kris Kelly-Campanale, Telehealth Systems Engineer, OHSU
David Trepp, President, Info@Risk
Telehealth Alliance of Oregon 2016 Summit
March 3rd, 2016
Introduction
Tablets offer great value for money and excellent
portability. They are a natural choice for telehealth.
But there are some very important considerations to
keep in mind when you’re planning your deployment.
Questions to Ask
Who is using it?
• Which person or groups of people will have access to
the tablet?
• Are they staff members or members of the public?
• How easy will it be to steal?
Some thoughts on BYOD
• Cheap…but is it worth it?
• Lots of quality variation
• Without the right infrastructure, high-risk
• With the right MDM tools it can work
• Separating personal from work is fundamental
How is it being used?
• Is this a “kiosk or “staff assigned” tablet
• Level of staff-driven configuration
• Which app(s) are required?
• What apps can be disabled?
• How well can you lock it down?
• Will it be used for a mix of clinical and personal?
• Who is provisioning the tablet?
Where are they using it?
• In a limited-access clinical unit? Public lobby? In
the field? At home?
• Some place “messy”?
• Bright or Dark Areas?
• Loud or Quiet?
What is it accessing?
• Probably PHI 
• What data is stored on the device?
• Does it need A/V capabilities?
• How much text entry is needed?
• Does it need peripherals?
• How is it accessing the the data (Cloud/Bluetooth)?
What if it gets stolen?
• Just assume it will be stolen
• What data is stored on the device?
• Can it be tracked?
• Can it be remotely wiped/locked?
Other Considerations
A/V Quality
• Not all tablets are created equal
• Front camera quality
• Speaker Loudness?
• Mic pick-up patterns?
• Echo
• Fan noise
• Evaluate/Demo tablets if possible
Packaging
• Protection
• Effect on audiovisual quality
• Including Accessories
• Asset Tracking
• Assume it will be dropped...hard
Wireless
• Which Wireless Network to Use?
• Is the WiFi trusted?
• AP Handoff
• Signal Strength Variations
Cellular
• Speed differences between LTE/3G/Edge
• Location services
• Know your geographical coverage area
• Does your facility use a distributed antenna (DAS)?
• Do you need real-time audio or video?
Platform Variations
• Apps look and perform differently between OS and
platform
• Quality limitations imposed by some platforms
• Network connectivity/performance
• OS/hardware based security features
Common Tablet Attack Vectors
• Ransomware attack point
• Online banking man-in-the-browser attacks
• Long connection time outs
• Locally stored data
• iOS background screen caching
• Crypto-currency mining attacks
Practical Security Strategies
• Start with a risk assessment
• Assume devices will be lost or stolen
• If an AP is not fully trusted, use cellular
• Turn off Bluetooth when not needed
• Turn off location services when not needed
• If possible, logout when done
• Vet all applications before downloading
Practical Security Strategies
• Segregate work and personal content
• Patch and update regularly
• Rigorously apply the concept of “Lease Privilege”
• Authenticate inbound email
• Inspect links before clicking and beware QR codes
• Monitor file activity
• Encrypt data at rest and in transit
• Use NIST mobile standards
Why NIST Mobile Standards?
• The comprehensive NIST library is free
• Includes specific MDM guidance
– SP 1800-1: Securing Electronic Health Records on Mobile Devices
– SP 800-164: Draft Guidelines on HW-Rooted Security in Mobile Devices
– SP 800-163: Vetting the Security of Mobile Applications
– SP 800-124: Guidelines for Managing the Security of Mobile Devices
• Provides clear guidance for auditing and testing
– SP 800-53(A) and SP 800-115
• Used by federal regulatory agencies
Key NIST Mobile Device Controls*
*See NIST
SP 1800-1b
Examples
Staff-Assigned, Hospital Tablet
A tablet assigned to an employee of a hospital
• Enforce PIN/Biometric Access
• Enable GPS/Location Tracking
• Limit access to app stores
• Disable cloud services*
Staff-Owned, Personal Tablet
A hospital staff member using their personal device at
work
• Really reconsider if you want to do this!
• Set up a robust mobile device management system
• Geo-fencing rules
Language Interpreter Tablet
A tablet that is handed to a patient for language
interpretation over video
• Lock it down to the video app
• Heavy duty, audiovisual-friendly case and stand
• Built-in stand
• GPS/Remote Wipe
• Location tracking
Warm Patient Handoff Tablet
A tablet used by a pool of hospital staff for conducting a
patient hand-off to a SNF via video
• Restrict to clinical team’s needed apps
• Heavy duty, audiovisual-friendly case and stand
• Built-in stand
• GPS/Remote Wipe
• Location tracking
In-Home Patient Tablet
A tablet given to a patient for monitoring postdischarge vitals
• Lock it down to needed apps
• Make sure cellular data rate match the use-cases
• Heavy duty, audiovisual-friendly case and stand
• GPS/Remote Wipe
• Location tracking
• Check-in process
Questions &
Comments