This document is based on recommendations and material from the Information Security Compliance Office at UT System.
At present, many universities and medical organizations are conducting pilot projects to determine how best to use iPads and how to define best practices for their deployment. Pilot projects among academic institutions tend to focus on student use, whereas pilot projects in health care focus more on use by physicians and other health professionals to support patient care. The following observations and recommendations are based on information provided by information security officers within and outside The University of Texas System, along with the review of EduCause documents, specialty magazine articles, Apple's iPad documentation, and policy documents.
Today's iPad is suitable for use in academic and health care settings given the right configuration. supporting infrastructure. and policy.
The iPad has many standard security features, including such capabilities as:
- password protection,
- data storage encryption,
- support for encrypted data transfer, and
- remote data deletion.
If these security features are used, the iPad is considered a secure device. Apple's Enterprise Configuration Guide contains information needed for proper configuration. As most demand has been for email connectivity, many institutions have developed guidance on how to securely connect to their email systems. However, it is important to note that an iPad that is improperly configured or used does present security vulnerability.
Because the Apple iPad's creation/release is less than one year old, some of the tools needed to manage them across an organization are still developing. There are ways to ensure that initial configuration settings are correct, but users have the ability to easily change those settings on their devices. For example, a user may find it inconvenient to use a password, and can remove the requirement of this feature. Preventing the user from turning off this security feature is not inherent in the current configuration of an iPad. Undoubtedly, new enterprise tools will be forthcoming that will provide for continuous enforcement of enterprise defined configurations.
Institutions should require iPad users to become familiar with the security capabilities and the importance of their continuous use. This may be accomplished through formal training or via distribution of guidelines. Records should be kept indicating that user has received training and has acknowledged acceptance of the guidelines for it use.
Supporting IT Architecture
It is imperative that confidential data not be put at risk through loss or theft of iPads. Therefore, as a best practice, the iPad should not be used as a for confidential data. Rather, it should be used simply as a display and data entry device confidential data. Student and patient records should always reside within a secured database server.
The IT architectureand methods for keeping confidential data on secured servers, while displaying the data on an iPad or similar device, are understood and are used in current pilot programs, such as at the U. T. Medical Branch at Galveston. Even when the iPad is used in the limited role of a display and data entry device, temporary storage of data is inevitable. To mitigate this, processes must be put in place to delete data immediately after use. Electronic Medical Records (EMR) vendors are currently developing specialized programs to fully integrate the iPad into EMR systems in ways that minimize data exposure, specifically on the iPad. Operating systems pose another architecture issue for the Apple iPad. Most oftoday's enterprise systems have evolved to support Microsoft Windows based devices. Because of this, it is often more cumbersome to integrate devices, such as the iPad, into existing applications. This is not an insurmountable barrier and will improve over time, as iPads and similar devices become increasingly common. This does not, however, prevent use of iPads within the University of Texas institutions.
None. The University of Texas System Information Resources Use and Security Policy (UTS165) requires that an institution's Information Security Officer, "review the data security requirements and specifications of new computer applications or services that receive, maintain, or share confidential data. II It is important that institutions be diligent in performing these reviews to ensure risks are identified and addressed.
Few organizations have a specific iPad policy. Typically, the iPad falls within an institution's umbrella mobile device policy. The more challenging policy issue relates to device ownership and appropriate use. Historically, employees have been allowed to use their personally owned mobile phones to access university email, so one would expect that email could be accessed from an employee's personally owned iPad. However, we must ask the question as to whether permission requirements differ when one wants to also access such things as electronic medical records utilizing their mobile devices? Security concerns become much greater in this case, and requirements may need to differ accordingly.
At present, UTS165 addresses encryption on mobile and use-owned devices that contain confidential information. This policy is under review for possible revision, with a target date of August 31, 2011. As part of the revision, the policy should be expanded to address other security requirements (such as passwords, etc.) related to mobile devices, as well as specific requirements to match differing planned uses (e.g. email vs EMR access) for the devices.
The Apple iPad is an important new platform that can provide value and efficiencies in support of a variety of applications across the U. T. System. Medical software companies are currently working to deploy EMR systems using the iPad, and many other academic and health related applications will follow. We need to facilitate use of iPads and similar devices and deploy effective security strategies, taking these devices into consideration. User education, diligence in reviewing applications prior to deployment, and revision of UTS165 to address related security issues, are steps that will facilitate safe adoption of these devices.