If you had particularly valuable things in one room in your house, would you lock the door to that room when you leave home? Would you consider locking the door to that room, but not locking the exterior door to your home? Logically, you’d lock the exterior door to your home because it protects everything in your home, not just the valuables in a single room. It also provides stronger security than your interior door.
In my work as a healthcare communication consultant, I see a similar story unfold every day with how mobile technologies are managed. Many hospitals are currently deploying secure text messaging without Mobile Device Management (MDM). In effect, this is kind of like keeping valuables in a room (PHI in messages) and locking the interior door (with an access code), but leaving the exterior door (the security of the device) wide open.
Deploying secure text messaging without MDM is not a good best practice, for many reasons:
- You are missing out on valuable inventory data for decision-making and troubleshooting
- You won’t have a way to manage device settings to help ensure reliable notification delivery
- It’s not as easy to deploy (install and remove the app) at scale
- It’s not a good holistic approach to secure mobile environments (neglects clinical apps, notes, etc.)
Using MDM Inventory Capabilities to Confirm Compatibility
MDM tools provide valuable device inventory information that can be used to proactively troubleshoot issues, identify trends, and understand adoption. For example, you can use MDM tools to validate that users have the app installed and ensure devices have compatible software.
Here are some MDM inventory elements to consider:
- OS Version should be iOS 7.0+ or Android 4.0.3+
- The device should have 25MB+ of free storage
With most MDM tools, you can also automate actions based on inventory elements. For instance, you might alert the user if storage on the device gets low.
Using MDM Management Capabilities to Confirm Configuration
MDM tools provide the ability to manage some settings on the device. In some cases, it is possible to enforce settings that will provide a better secure messaging experience. Since most secure text messaging applications leverage public push notification services, it’s critical that these services are enabled and not blocked by device settings.
Here are some MDM management elements to consider:
- APNS Enabled should be TRUE for all managed Apple devices
- Do Not Disturb should be set to FALSE
- Cellular Technology – It is helpful to see how many devices are mobile-enabled
In some cases, you may want to notify users when settings don’t match your required specifications for secure text messaging, such as when Do Not Disturb is turned on.
Using MDM Deployment Capabilities to Assess Adoption
MDM tools provide the ability to automatically deploy applications to users, report on whether the app has been installed properly, and remove managed applications remotely. While users can always download most secure text messaging applications from the App Store/Play Store, this requires a more complicated workflow for the user (must have Apple password, updated credit card info, etc.) and prevents the organization from managing and removing the application.
Here are some MDM deployment elements to consider:
- The application should be automatically deployed silently or via Enterprise App Store, as a managed app, to all users who qualify to use secure text messaging.
- Use the MDM inventory to ensure the application has been properly installed and that users are using the latest version.
- Configure MDM to automatically remove the app from the user’s device when he/she leaves the organization.
Leverage the inventory to automate notifications to users who aren’t on the latest version of the secure text messaging application, to ensure compatibility, stability, and access to latest features.
Using MDM Security Capabilities to Confirm Compliance
MDM tools provide the ability to enforce settings that help to protect data at rest on the device. These controls include passcodes, jailbreak detection, and encryption, among many others.
Here are some MDM security elements to consider (at minimum):
- Data Protection should be set to Passcode Required to protect data at rest
- Device Is Compromised should be FALSE
- Encryption should be set to TRUE
If any devices that have your secure messaging tool on them fall out of compliance in the inventory, most MDM tools provide a variety of actions that can be taken, from notifying the user to take corrective action, or notifying an administer to automatically remove the secure text messaging application.
Ultimately, most HIPAA-compliant secure text messaging tools are containerized security applications, that can protect PHI inside the app without the use of MDM. However, when considering a more holistic, more responsible approach to security, MDM can play an important part. IT leaders need to think of MDM tools in a broader sense: Security and management are two important value propositions of MDM tools, but being able to automate actions based on changes in the device inventory is perhaps an even more powerful asset. I encourage IT leaders to think about these tools from a strategic perspective and leverage the automation they offer in creative ways to drive value and adoption of secure text messaging tools.