iPad security: How a hospital group treated trouble

Doctors have fallen in love with the Apple iPad, becoming one of the biggest early adopters among professionals. They want iPads for personal use and to get their work done. It's the latter that has healthcare IT staff scrambling to secure the devices.

The problem is that the iPad's consumer-driven origins come into direct conflict with the nature of healthcare—namely, patient confidentiality and reliance on a few critical client-server apps.

Can the iPad succeed in hospitals?

"We had physicians coming to us as soon as the first iPad came into the Apple Store wanting to connect everything," says John McLendon, senior vice president of Adventist Health System (AHS), a not-for-profit Protestant healthcare provider with 44 hospitals across 12 states. He is also CIO for AHS Information Services, which maintains clinical and business systems for many of the hospitals.

[ One enterprise embarks on a two-year Apple mobile makeover, reports CIO.com. | What happens when a CEO gives iPads to everyone? ]

For the past few months, McLendon has been working with tech vendors to make the iPad a viable tool in healthcare. He's had to implement a virtual desktop Citrix solution while he waits for one of his key patient-care app vendors, Cerner, to improve on its mobile offering.

Meanwhile, security and management of the iPad falls to Sharon Finney, AHS's corporate data security officer. She has been busily architecting what she calls a "sandbox" network with limited functionality and access that gets around the iPad's security shortcomings. Her assessment: The iPad can be secure enough for doctors to get much of their work done today, but the platform still has a ways to go.

Form-Factor: Hospitals Familiar with Tablets

The iPad took many hospitals by surprise, as well as their oft-conservative IT staff. "The way we do a lot of the more strategic-oriented projects here, we plan them out for a couple of years with road-mapping sessions," says McLendon. "We didn't have a plan to embrace the iPad."

McLendon couldn't prepare for the iPad as he could with enterprise-class devices. He couldn't get his hands on a pre-release iPad model in order to test and certify it in his environment. He didn't even know when the iPad would be released to the general public.

When the iPad finally hit Apple Store shelves, doctors bought them up. Consider the findings of a survey by Good Technology, a mobile device management vendor: The number of iPad activations, from September to December last year, dramatically dipped at healthcare firms. The dip is indicative of a massive early adoption.

"Healthcare moved so quickly to the iPad, there was so much pent-up demand, that there was that initial spike," says John Herrema, senior vice president of corporate strategy technology at Good Technology, "and then things leveled off."

One of the reasons for the fast adoption of iPads in healthcare is doctors' familiarity with tablets. AHS, for instance, has Panasonic Toughbooks in its hospitals. But the difference between these tablets and iPads, at least from a security standpoint, is night and day, says Finney.

iPad's Security Shortcomings

AHS has a secured network at its hospitals that allows Toughbooks and other devices to communicate across it and access full-blown apps. AHS owns and centrally manages every device that touches this network. For instance, Finney can lock down these devices, remotely take control of them, install anti-virus software, and knock them off the network in a variety of ways.

"I can take a laptop, workstation or tablet and say you can only access these five applications and that's all you can do," Finney says. "I can say you cannot store data locally because that device is not rated and secured for that functionality. I cannot do that on an iPad."

But doctors still wanted to take their iPads to work. So Finney has been building a mid-tier "sandbox" network with some security around it. The plan calls for the "sandbox" network to be established across all AHS hospitals in the first quarter of this year.

She'll be able to control who has authority to get on the "sandbox" network. By knowing what devices are on the network, she'll have an idea of traffic levels and thus can guarantee levels of service from a bandwidth and performance perspective.

"I can also target my security tools at that segment of the network, and monitor and audit it," Finney says. "If there is an incident, a problem with one of the devices, then I can reasonably identify who that device belongs to."

AHS began working with Good Technology tools last spring to manage iPads, but Finney still lacks an enterprise management console for the Apple iOS. "Some of those tools are solely based on the functionality provided by the native OS," she says. "To my knowledge, there are no standards for the base functionality that an Android and an Apple provide that I, as an enterprise security officer, can tap into and secure that device."

One iPad App Stays in the Waiting Room

For AHS doctors, the most important app that they want to access on their iPads is Cerner. The highly complex Windows app lets doctors view online digital charts with real-time patient information, input data, place orders, among other tasks. Cerner doesn't have a native iPad app, but the app developer is putting the final touches on a mobile app version, which AHS will evaluate in March.

In the meantime, McLendon is putting a Citrix virtual desktop solution on the iPad.

The problem is that the Cerner app was made to be used with a mouse and has a complicated order system that's tailored to a large screen. With the Citrix client on the 10-inch iPad screen, tapping data-entry boxes requires tiny fingers or constant two-finger expanding and pinching in order to change the image size of the boxes on the screen.

"The form-factor of the iPad doesn't match up with the way the application was designed," McLendon says. "I'd say it's still cutting-edge to use [Cerner] with Citrix."

Bottom line: iPad-toting doctors on the "sandbox" network will be able to use Cerner, but the experience won't be a good one. Nor will they have all the communication rights and access to data and application features like they would on the secured network.

"We're not there yet," McLendon says. "We have to have more confidence."

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurityhardware systemstablet PCslaptops

More about AppleCernerCitrix Systems Asia PacificetworkGood TechnologyPanasonic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place