This article can also be found in the Premium Editorial Download "Health IT: Strategies to secure personal mobile devices on health care networks."
Download it now to read this article plus other related content.
Like PCs, however, mobile devices used in health care facilities must be deployed in a responsible manner in order to avoid accidentally introducing security vulnerabilities or putting the organization in a state that is not compliant with federal regulations. As such, deploying devices to support mobile health care services requires careful planning.
Mobile health care support begins with device selection
As an IT professional, one of your primary responsibilities is designing a mobile health care strategy, beginning with the mobile devices you want to allow to be used within the organization. Device selection should be based on your ability to secure the devices, and on how well the device interacts with your existing network infrastructure.
I know a couple of IT pros who have given into pressure and attached users' personal mobile devices to the network. This is a big mistake. After all, once devices have been connected to the network, your users will expect the IT department to support them. You don't want to end up in a situation in which Help Desk staff is required to support dozens of different makes and models of wireless devices.
From a support perspective, it is better to keep the mobile devices as uniform as you can. Of course, manufacturers routinely discontinue mobile device models and release newer models, so it is unrealistic to expect to be able to keep your mobile device selection completely uniform.
The mobile device support infrastructure
Because health care is a heavily regulated industry, you must ensure that your mobile health care strategy is aligned with your corporate security policy. This can be a big challenge when it comes to mobile devices. Your existing group policy settings will not apply to mobile devices because, in an Active Directory environment, group policies only apply to domain members. Although there are exceptions, mobile devices usually cannot be joined to a Windows domain.
In order to be a domain member, a machine must be running either a desktop (Windows 7) or a server (Windows Server 2008) version of Windows. Mobile operating systems do not meet this requirement and therefore cannot be joined to a domain. As such, group policies do not apply to mobile devices.
Some versions of Windows Mobile have a mechanism that allows the device to be enrolled in a domain. The enrollment process allows the device to participate in the domain on a limited basis without actually being a domain member. However, even if a device has been enrolled, it still cannot use the same group policy settings as a full-blown desktop or server operating system, since because those settings were never designed to be used with mobile devices.
Even though your existing group policy settings will not apply to mobile devices, there are other ways to manage the mobile devices that are used in your health care organization. However, you will have to base your mobile device management techniques on the makes and models of devices that you have chosen to support.
At the present time, there is no real industry-wide standard for managing devices specific to mobile health care implementations. As such, you will have to search for a mobile device management solution that works with your existing network infrastructure and with the mobile devices that you have chosen to allow on your network.
Using System Center Mobile Device Manager for mobile health care deployments
As I mentioned earlier, the primary security mechanisms used in an Active Directory environment are group policy settings. If you are used to managing Windows environments, then you will be happy to know that Microsoft offers a product called System Center Mobile Device Manager, which will actually let you manage devices for mobile health care users through group policy settings. In addition to enforcing security on such devices, the software can also be used for initial device provisioning, and for deploying mobile applications.
Although System Center Mobile Device Manager works really well, it does have two major limitations. First, you can only use group policies to manage devices that can be enrolled in a Windows domain. To the best of my knowledge, the only mobile operating systems that fit this criterion are Windows Mobile 6.1 and Windows Mobile 6.5. Even Microsoft's latest Windows Mobile operating system, Windows Phone 7, does not include the required functionality.
The other limitation is that your existing group policy settings will not apply to mobile devices that have been enrolled in the domain. Instead, System Center Mobile Device Manager provides a completely separate set of group policy settings that are specifically designed for use with mobile devices. These settings are, however, accessible through the Group Policy Editor.
Using Exchange ActiveSync to manage devices in a mobile health care setting
As strange as it sounds, one of the best tools for managing mobile devices is Microsoft Exchange Server. In case you're not familiar with Exchange Server, it is Microsoft's enterprise email application. Exchange Server uses a protocol called Exchange ActiveSync to send email to mobile devices.
So what does this have to do with mobile device management? Well, Exchange ActiveSync is an industry standard. It is supported by Windows devices, but it is also supported by tablets and by non-Microsoft devices such as the iPhone or the Android phones.
Although the primary job of ActiveSync is to push messages to mobile devices, ActiveSync can also be used to provision and secure mobile devices. For example, you can use ActiveSync policies to require devices to adhere to a certain password policy or to disable certain mobile device features such as removable storage or the built-in camera.
Keep in mind, however, that even though the vast majority of tablets and smartphones support ActiveSync, not all of the ActiveSync policy settings are supported on every device. If you are considering ActiveSync as a mechanism for provisioning and securing mobile devices, then you will need to verify that the policy settings that you want to use will work with your chosen devices.
Using proprietary management tools in mobile health care deployments
Even though Microsoft Exchange can be used as a cross-platform management tool for mobile devices in health care settings, it is no substitute for a mobile device management platform that is designed specifically for the mobile devices that you use. That being the case, if you have made the decision to use only a specific type of mobile device, then I would recommend seeing if the device manufacturer offers a management product for the devices. For example, BlackBerry offers a management product called BlackBerry Enterprise Server.
There are also a number of third-party products for managing mobile devices. Even so, every mobile operating system has different capabilities, so even if a product claims to offer cross-platform support, there is a good chance that some management capabilities will be omitted for some devices. Some software vendors have also been known to omit certain management capabilities from their wares just so that they can provide a consistent management experience. That's why you are best off using a device-specific management product if possible.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox.
This was first published in July 2011