rity risks ensued. It wasn’t clear how they
could control data access and security on
the devices.
The health care industry is far more
open than other industries, with far more
“free agents,” since physicians often have
privileges at multiple hospitals. Consequently, a physician may have a smartphone accessing apps and data from
more than one hospital and also have
personal data on the device.
Further, physicians may want certain
functionality. They may buy an app that
offers the functionality or contract with
a local developer to build it—and not tell
the hospital. Having security built into
apps is critical to health care organizations, but not to developers. For instance,
it wasn’t until quite recently that native
encryption came with Android devices.
Another consideration: When developers are writing an app for an iPhone or
iPad, there is an API, or application programming interface, for a second level of
encryption. But if developers aren’t told
to use the second level, they won’t, Rege
contends. They are focused on the platform, not application security. Consequently, whether an app is bought from
a local or national shop, a developer is
a contractor. After the purchase, the developer has disappeared, leaving the unknown, potentially unsecure app in place
at the hospital. As a result, policy and design rules on how apps are built and what
organizational data should be in a device
have become necessary.
These factors set the stage for mobile
device management software. It gives
organizations centralized control over
what I.T. devices are coming onto their
premises and what those devices can
and cannot do. MDM started with basic
tools—enforcing passwords and encryption, and wiping data from lost devices. It
has evolved to a centralized management
platform across an enterprise, Rege says.
“The device, user and app will change,
but it’s all about the data.”
Talk to five mobile data security professionals and you’ll get five descriptions
of what mobile device management is.
Taken together, a well-rounded explanation of how MDM works emerges:
Rege: “Mobile device management
configures the device and apps, protects
and take off.”
There have been tablet computers
available with varying degrees of adop-
tion for more than a decade. And per-
sonal digital assistants surely had more
than 15 minutes of fame. But the mobile
market we now know is very young, says
“The device, user and app
will change, but it’s all about
that data.”
—Ojas Rege
the data, separates professional and personal data, and at the end of a session removes the professional data.”
Alan Dabbiere, chairman of mobile
device security firm AirWatch: “Think
of what functions the Blackberry management console has, and combine it
with what remote desktop management
does for imaging, application setup and
confirmation management. That’s what
we’re doing.”
Jim Shellhamer: technical systems
analyst, Lehigh Valley Health Network,
Allentown, Pa.: “MDM is making a mobile device secure yet accessible for business or enterprise use.”
John McConnell: enterprise architect, Fletcher Allen Health Care, Burlington, Vt.: “MDM is a way of allowing
people to use their own mobile device to
access company data and applications in
a secure and reliable manner.”
Joel Taylor: CIO, Preferred Health
Partners, a large multi-specialty group
practice in Brooklyn: “MDM is the way
in which you secure and manage any de-
vices connecting to your network from
all kinds of threats.” And those threats
really are everywhere and constant, he
adds. “In metro New York, the favorite
thing for thugs to do on the subway is
to swipe a smartphone out of your hand
Dabbiere at AirWatch. The smartphone
market for the enterprise came of age
in the fourth quarter of 2010 with the
iPhone 4, he contends. Before that, there
was no real comprehensive mobile de-
vice management outside of managing
an organization’s desktops and laptops.
Palm types of devices weren’t that man-
ageable; you could enforce a password
and wipe the device, but there was no
remote management of access to e-mail,
images and other data, or enterprise se-
curity enforcement for the device. Users
configured their own devices.
