VA's Plan for Mobile Device Security
CIO Roger Baker Reveals Details for iPhones, iPads
The security issues involved in allowing personally owned devices are legal, rather than technical, Baker contends in an exclusive interview with HealthcareInfo Security. "We're establishing what it is we need to have the user sign, relative to their personally owned device, that will ensure, for example, that I have the right to wipe any VA information off of it at my discretion ... and ensure that I have right to access the device to review it as needed."
Because the newer mobile devices will eventually be widely used for clinical purposes, "I would expect to see, in the long run, a phase out of desktop computers and a phase in of mobile devices," Baker says.
Until the VA began rolling out the Apple devices on Oct. 1, the only mobile devices VA staff could use to access information were BlackBerry smart phones and laptops. That's because these devices were best-equipped to accommodate the necessary security provisions, including encryption, Baker says (see: VA Taking It Slow on iPads, iPhones).
Because of overwhelming demand among VA clinicians and others to use iPads and iPhones, the VA decided to develop security policies so these devices could be accommodated as well, Baker says.
In the interview, Baker says:
- The security measures for the Apple devices include encryption of applications that meets the Federal Information Processing Standard 140-2 standard, and the use of two passwords, one for the device and one for the application. Plus, the VA will have the ability to remotely wipe all information from devices if any security concerns arise.
- About 1,500 VA-owned Apple devices will be implemented in the initial phase of the rollout, with personally owned iPads and iPhones accommodated starting early next year.
- Initially, VA staff members will be able to use personally owned Apple mobile devices for limited purposes, such as to view, and not store, clinical records, or to transmit encrypted e-mail.
- Eventually, the VA likely will accommodate other types of mobile devices, including those using the Android operating system. The expansion of devices will depend on user demand as well as confirmation of adequate security measures.
- The VA will offer an "apps store" to provide VA-approved medical applications for iPads and iPhones. "Our apps will have evidence-based medicine behind them."
Baker was confirmed by the Senate as the assistant secretary for information and technology for the Department of Veterans Affairs on May 18, 2009. As assistant secretary, Baker serves as the CIO for the department, directly managing an organization of more than 7,500 information technology professionals and a budget of more than $3.3 billion.
HOWARD ANDERSON: Until recently, when it comes to mobile devices, the VA has offered staff only BlackBerry Smart Phones and laptops. Now you are beginning to offer iPhones and iPads as well. So what were the concerns that led you to hold off on using these devices until now, and why did you decide to offer the new devices at this point?
ROGER BAKER: The main concern has been security. You know, one of the things that we absolutely require is that when we're putting any ... veteran's personal health or personal information on any kind of a mobile device that it has to be encrypted. With BlackBerries and with laptops, we had available full-unit encryption. On a laptop we encrypt the entire disk, and on a BlackBerry we encrypted the entire media for that unit. The way that the newer devices are built, they don't offer full disk-level encryption or full storage-level encryption, and that caused us a fair amount of issues in determining that we could adequately secure veteran's information. We wrestled through that and have gotten to the point where we understand how to do that and have embarked on a path to get there.
Why now is probably something that has been obvious to people for two years. These are extremely popular devices. About a year ago, what I told my folks was, "We're going to have to say yes. Figure out how to say that now instead of saying no for the next three or four years, and then have to do it on somebody else's terms." So we determined that we could meet the security requirements, and I'm certain we will see an awful lot of demand from our clinicians to use them in serving veterans.
New Mobile Devices
ANDERSON: Please describe the status of the rollout of iPhones and iPads. How many devices will be deployed initially, and how many do you think you'll eventually use? And what will be the primary purposes for which the devices will be used?
BAKER: We had been running about a 100-person pilot up until October 1. On October 1, we made support for the devices generally available. We will have a limited roll out for the next three or four months, about 1,500 devices. From there, I think the demand is going to be very high. I think it will be probably in excess of 100,000 devices over the next 18 months.
To address that, I expect that we will find a way to say "yes" to devices that individuals bring, rather than ones that the government has to buy. Clearly, I don't believe the government will buy that number of mobile devices; but we know that many of our employees and many of the residents that come to us to do medical care ... already bring those types of devices of their own. ... We are just wrestling with the issues of being able to allow those devices to access information as well.
How Devices Will be Used
ANDERSON: And the primary purposes for which they will be used at least initially are what?
BAKER: Well, I would say there are two main modalities. One is the classic administrative use that you've seen for other mobile devices - e-mail, scheduling, being able to just communicate administrative things. The much more interesting one for us is the concept of a clinician, a medical care provider, being able to carry a very user-friendly device with them from visit room to visit room in doing their rounds so they've go a persistent information store and that they've got, frankly, a number of applications available to them as they look at that information and do an analysis on that medical information.
We really see a substantial clinical use for the newer mobile devices, and I would expect to see, in the long run, a phase out of desktop computers and a phase in of mobile walk-around type devices.
ANDERSON: Initially you talked about security concerns. Could you describe how you will apply encryption for these new devices? Will you require the use of encryption that complies with the Federal Information Processing Standard 140-2 as if required on other government mobile devices?
BAKER: ... To this point, we have determined that every application we want to field actually does meet the FIPS 140-2 standard, so we're very, very pleased with that. Yes, anytime there is any chance of any information relative to a veteran being stored on the device that storage must be encrypted [via the application]. We're also requiring two passwords, one for access to the device, and one for access to each individual application. The application will be doing the encryption, and we've also found, so far, that the applications are managing the encrypted tunnel for communications back to the host. But all-in-all, in order to be approved for use ... it's going to have to store any information in that encryption standard and it's going to have to make certain that it meets all of the security standards that we think are necessary to ensure that there is adequate protection for veteran's information.
ANDERSON: Okay could you clarify under what circumstances users will be able to store personal information on the devices and also how will you use a mobile device manager system to enforce your various policies that you are describing?
BAKER: We envision two different types of applications from the device. One set of applications really is just being able to use the device to come in through a viewer to look at our standard applications, and we fielded that with these devices and it works well. No information is getting stored on the device, but it's not as fast and as friendly as a native application is on the device.
The other things that we're seeing are with e-mail and with some medical applications that we're developing - those applications will store information on the device. That information will be encrypted with the FIPS standard, and it will be password protected with a strong password that keeps anyone who might get unauthorized access [to a device] from accessing that information. We certainly will ... exercise the ability to [remotely] wipe devices if we determine in any way, shape or form that their status isn't known - that we don't know that they are with their authorized user. And that is part of the mobile device manager's [function]. But the mobile device manager, in particular, will manage which devices have been authorized to connect to our network. It will verify that no software that we believe causes any kind of compromise to the device is there.
For example if an Apple IOS device has had a jailbreak performed on it, the device will be immediately wiped for any information and will not be allowed access to the VA network until that issue is resolved through the local information security officer. So the MDM is going to play a pretty critical role for us. Every device before it's allowed to connect to the network will go through the MDM, and the MDM will verify that the device is only running software that we have approved and that all the policies on the device are still implemented as they're specified to be for access to the network. (See: VA Seeks Help with Mobile Security.)
I'll just point out one of the benefits from saying "yes" early is you get to qualify the way that you say "yes." So we found that our users are, in general, pretty happy with the concept of "yes, you can use the device but here are the terms for doing it." ... Had we waited a few more years and been forced into this, we would have had a much harder time being viewed as taking positive steps while implementing some fairly tight restrictions on what can be on the device and how the device can be used. So it's important to get out there and say "yes" early.
Mobile Application Development
ANDERSON: Eventually you expect to offer an app store that will provide applications approved for use within the department. So, when is that likely to happen, and what kind of apps do you anticipate making available?
BAKER: I really don't have a timeframe for you on this. We have now an applications development group ... that will, in effect, set all of the policies and procedures for verifying apps that are VA-certified. ... Clearly, from an IT perspective, we want to make certain that they don't do anything that will compromise our security and that they are supportable. But even more importantly, on the medical side, the medical folks are going to make certain that any app that goes out to VA clinicians or with any kind of a VA banner on it is based on evidence-based medicine.
You know there are tons and tons of medical apps available for download on these devices. Some of the basis that these apps are built on is, let's just say, I'm not a clinician, but I think a clinician would say "questionable." If we're going to provide an app for our clinicians to use, there will be evidence-based medicine behind it. Like for example, the app that is out there right now from the VA, the PTSD [Post-Traumatic Stress Disorder] application, has very strong evidence behind it for how it helps folks that may be suffering from post-traumatic stress disorder deal with the various facets of that issue.
Personal Mobile Devices
ANDERSON: Now am I correct in understanding that in these first few months, you're not allowing staff to use their personally owned iPhones and iPads, but that will change over time? And what are the primary security concerns involved in allowing personal devices, and how will you address those?
BAKER: The personal device issue is not really a technical one; it is a legal one. We're establishing what it is that we'll have the user sign relative to their personally owned device that will ensure, for example, I have the right to wipe any VA information off it at my discretion. It will ensure that if the device needs to be looked at for some reason, we will have access to it. So the issues that we wrestle with our less around the security of the devices, because we think we can handle that. It's more around the legal aspects of what level of control do we need to have as the government in order to ensure that all the right things are happening with the device when it connects to us or when it contains veterans' information. So, for example, in the near-term, we're looking at, in essence saying to folks, "Here are the things that we know we have well-controlled and it causes us no problem if you access them from your personal device." For example, it may be that we turn on only the viewer for people to access [clinical information with a] personal device in the beginning so no veteran's information is getting on to the device. It may be that we allow the e-mail client that is FIPS 140-2 encrypted to be used because we have good filters that tell us when private information is being e-mailed. If it's not encrypted, we have the ability to flag that. So we're just looking at what we can do with good confidence down that path.
We didn't feel like it was urgent to have that be part of the first wave of what we do with iPads, and we want to be cautious to follow a lot of due process to make certain that we do this the right way. We don't need any hiccups with veteran's information because that would certainly cause a major issue. So we're going to make sure that we're very cautious from that front.
ANDERSON: So is it safe to say you'll begin phasing in, as you described it, these personally owned devices next year then, not this year?
BAKER: Correct, but I would think probably earlier next year rather than later next year.
More Mobile Devices
ANDERSON: So when will you consider offering to accommodate other brands of tablets and smart phones either owned by the VA or personally owned, and how will you go about determining which ones are next?
BAKER: The easy answer to that is that we're open to anything that we get some significant demand from users for. I would expect that we will figure out how to do the same sort of thing with Android devices ... once the enterprisewide mobile device manager is [is fully operational and] once we start expanding the Apple device capability. [Android] is a different animal, and so the security issues are somewhat different. I would say the process goes along these lines: As we see demand from our user base, we'll go through and do an analysis of the operating system and the fundamentals of the device and determine a way that we can offer secure access to information from those devices for our users. It's possible that we would determine that we couldn't adequately secure a device and therefore we would determine that we wouldn't use it. I don't know of any that we think any devices are going to fit in that category at this point. ... We'll just look at the devices as they come along from that demand base.
ANDERSON: Okay finally then, did the recent BlackBerry outage affect the VA at all? What adjustments did you have to make to cope with it?
BAKER: So I got a real good lesson in probability last week. If one in three BlackBerries are affected by the outage, what is the probability that the [Department of VA] secretary's BlackBerry will be affected by the outage? It's 100%. So yeah, last week's outage definitely affected us. As I said, it was affecting about one in three of our BlackBerries. They are important to us from a mobility standpoint, but we also had cell phones, lap tops and other things to utilize. So I would not call it a huge outage for us.
We looked at whether or not there are ways to mitigate that, and I think, realistically, the main mitigation here is something that we've been talking about all along - which is diversity. As we diversify our access methods, we will see less and less impact from outages along those lines.