This blog was originally published here.
I recently had the good fortune of having dinner with the chief security officers (CSOs) from five major healthcare providers. The CSOs weren’t shy about what was plaguing them.
The biggest headache? Managing consumer devices. Doctors love their iPads and want to use them for work. (It must be the form factor-a next-gen version of the metal-covered chart ubiquitous on medical drama TV shows.) The real life numbers tell the same story. According to Manhattan Research, a healthcare market research firm, just one year after the iPad hit the market, 30 percent of U.S. physicians had adopted the device and an additional 28 percent plan to purchase an iPad within the next six months.
But as iPads spread virally throughout the healthcare industry, IT chiefs are left wondering if these new devices will compromise the security of their organizations. After all, it introduces a fundamental shift in the way we manage-or rather, relinquish managing-the endpoint. We are entering a world with more lightweight endpoint devices and more heterogeneous operating systems, and since these devices are often owned by the employee the IT team does not have control over the software running on these devices.
There are already some effective remedies for this challenge such as putting all sensitive data on a server and providing access from any device using a Virtual Desktop Infrastructure (VDI) session or an overlay operating system. This is a workable solution for some customers, but we must also think about how to further this treatment so that it will capture the native application experience. Any long-term answer to securing the “device du jour” will require coming up with innovative ideas that preserve the application experience that is of paramount importance to any user. Consider that while half of the innovation of consumer devices is in the hardware, the other half is in the software. When a security team dictates an approach, it needs it to embrace the software innovation (such as the beloved “swoosh” of the finger to move email messages). Think of it as preventative medicine. Enabling the experience we are addicted to is the key to ensuring a happy end-user community. (And we really don’t want anyone unhappy-most especially doctors.)
The best approach is one that allows the ability to segment business and personal data and applies the appropriate security policy to each. Enforcement happens in the cloud, while the endpoint keeps a separation between business and personal data, and makes sure that every transfer of business data passes through a scanning element somewhere in the network. It allows the devices to be used with their always-changing native apps and it simultaneously maintains even better security than we currently have with the fixed “corporate image” on the endpoint. This model is the future of enterprise computing.
While some in healthcare IT are experiencing the short-term pain of the iPad invasion, the device is actually a prescription for the long-term health the security industry. We need innovative, rapidly changing, unmanaged consumer devices that access cloud-based apps and pass through cloud-based security along the way. And, with a dramatically different-more holistic-enterprise computing architecture, everyone will feel much better.