VA's Plan for Mobile Device Security

CIO Roger Baker Reveals Details for iPhones, iPads

By , October 20, 2011.
VA's Plan for Mobile Device Security
Read Transcript

Roger Baker, CIO at the Department of Veterans Affairs, outlines the department's mobile device security strategy, providing details on the rollout of iPhones and iPads.The VA expects to accommodate the use of as many as 100,000 iPads and iPhones within 18 months, including a mix of government-owned and personal mobile devices, Baker says.

"We really see a substantial clinical use for the newer mobile devices," he says in an interview with HealthcareInfoSecurity. "And I would expect to see, in the long run, a phase out of desktop computers and a phase in of mobile devices."

Until the VA began rolling out the Apple devices on Oct. 1, the only mobile devices VA staff could use to access information were BlackBerry smart phones and laptops. That's because these devices were best-equipped to accommodate the necessary security provisions, including encryption, Baker says (see: VA Taking It Slow on iPads, iPhones).

Because of overwhelming demand among VA clinicians and others to use iPads and iPhones, the VA decided to develop security policies so these devices could be accommodated as well, Baker says.

Security Details

In the interview, Baker says:
  • The security measures for the Apple devices include encryption that meets the Federal Information Processing Standard 140-2 standard, and the use of two passwords, one for the device and one for the application. Plus, the VA will have the ability to remotely wipe all information from devices if any security concerns arise.
  • About 1,500 VA-owned Apple devices will be implemented in the initial phase of the rollout, with personally owned iPads and iPhones accommodated starting early next year.
  • The security issues involved in allowing personally owned devices are legal, rather than technical. "We're establishing what it is we need to have the user sign, relative to their personally-owned device, that will ensure, for example, that I have the right to wipe any VA information off of it at my discretion.....and ensure that I have right to access the device to review it as needed."
  • Initially, VA staff members will be able to use personally owned Apple mobile devices for limited purposes, such as to view, and not store, clinical records, or to transmit encrypted e-mail.
  • Eventually, the VA likely will accommodate other types of mobile devices, including those using the Android operating system. The expansion of devices will depend on user demand as well as confirmation of adequate security measures.
  • The VA will offer an "apps store" to provide VA-approved medical applications for iPads and iPhones. "Our apps will have evidence-based medicine behind them."

Baker also acknowledges that about one-third of the VA's BlackBerry devices were affected by the recent international outage. "They are important to us from a mobility standpoint, but we also had cell phones, laptops and other things to utilize," he says. "So I would not call it a huge outage for us.

Nevertheless, he says, the outage is a good example of why the VA needs to enable staff members to use a wider variety of mobile devices. "As we diversify our access methods, we will see less and less impact from outages along these lines," he says.

Baker was confirmed by the Senate as the assistant secretary for information and technology for the Department of Veterans Affairs on May 18, 2009. As assistant secretary, Baker serves as the CIO for the department, directly managing an organization of more than 7,500 information technology professionals and a budget of more than $3.3 billion. Among his previous positions, Baker served as CIO of the Department of Commerce from 1998 to 2001.

Follow Howard Anderson on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Breach Delays USPS Financial Report

Breaches continue to plague the regular operations of victimized organizations. Take, for instance,...

Latest Tweets and Mentions

ARTICLE Breach Delays USPS Financial Report

Breaches continue to plague the regular operations of victimized organizations. Take, for instance,...

The ISMG Network