BYOD observations

Discussion in 'Business & Enterprise Computing' started by bcann, Feb 7, 2017.

  1. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,465
    Location:
    NSW
    Gday All,

    Were looking at implementing a BYOD mobile phone type policy @ work for calls and using our medical app that staff take to a customer to record their observations.

    I'm interested in any observations you guys have had in regards to BYOD for mobile apps. We would obviously use an MDM to deploy the apps and manage the device, but i'm more interested in what you guys on the front line saw when deploying the BYOD policy, and any successes and failures and gotcha moments.

    Personally for me i would like to deploy a company owned phone type plan, where we just get a bunch of phones all the same make and model and still use an mdm as that would be easier, but i may get overridden on that.

    Thanks
     
  2. tree86ers

    tree86ers Member

    Joined:
    Oct 12, 2004
    Messages:
    317
    Location:
    Brisbane
    having a std model of phone helps out heaps, at least you know what issues you have with that device and hope that there are work arounds etc.

    The biggest problem we have right now at my work is switching from one mdm system to another. the users are loosing contacts from there phone (since it was defaulted to the corporate contacts). it is an easy fix since they just export the contacts from outlook to what they use but it is becoming a pain once you have had about 50+ people ask about it.

    iOS is generally all the same. Android is where you have to be careful since they nearly all have there own spin. this is where you would find most of the work with apps get done for compatibility.
     
  3. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    52,063
    Location:
    brisbane
    BYOD devices for what you are referring to sound like a minefield - how do you secure the patient data?

    Are you calling patients customers? I'm confused.

    Corporate devices are a much better idea overall and imo at least will end up costing the company less.

    You can get great corporate packages that make all calls in the org "free" and large data pools now. Not only that but your tech fund pays for all the handsets (Telstra).
    Also when staff leave the number doesn't leave with them so outsiders are never having to update contacts as the number remains the same. You can centrally control the fleet too in every respect, it just makes more sense. BYOD is a pita.

    Admittedly Android at Work is looking like a solution to this - but you won't be able to guarantee the minimum handset spec and there will be iOS users out there too.
     
    Last edited: Feb 7, 2017
  4. ^catalyst

    ^catalyst Member

    Joined:
    Jun 27, 2001
    Messages:
    11,663
    Location:
    melbourne
    Medical data + BYOD = front page of newspaper within next 3 years.
     
  5. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,503
    Location:
    Canberra
    imo the premise behind BYOD is a bit sucks.

    From the User perspective - Effectively you're letting a company control part of your asset for $0 (or fuck all).

    From the Company perspective - you've just opened up your support arrangements to * vendors/devices.

    If you haven't opened up your support to * vendors/devices, you've just decreased the amount of users who you can rely on to have connectivity to the service/resources BYOD is supposed to facilitate.

    Most BYOD stuff has a pretty line under support either saying "best effort" or "select devices" - Bean Counters who see it as, TADA WE DIDN'T BUY ASSETS, SEE MOST MONEY SAVED!!!! - should just bugger off about this.

    If you want me as an employee to have access to resource, you need to provide a *reliable* device and device configuration to provide access to that resource - otherwise you simply cannot rely on the assumption that i have access to that resource.

    And if you have a not insignificant portion of your user base unable to reliably access that resource - why the hell do you have it?

    Now if you *have* opened support up to * Vendors/Devices - have you actually weighed up the cost of supporting "random bullshit that Apple/Google/Samsung/Nokia/LG/Huawei/Sony/etc did with update X"? What about mixing in the fact that carriers also fuck around with it - so users on Phone X, but Carrier Y are broken, but Phone X w/ Carrier Z are ok? (and this is all before you get to the concept of jailbreaking, rooting, unlocking,custom firmwares, etc).

    So much shit is Wild West in the Phone space - Activesync is one thing... but throwing on MDM on random handsets is just a straight up recipe for disaster.
     
    Last edited: Feb 7, 2017
  6. PsychoSmiley

    PsychoSmiley Member

    Joined:
    Dec 23, 2001
    Messages:
    6,481
    Location:
    Taranaki, New Zealand
    Agreed.

    Medical data needs to be kept a tight leash access wise. Not worth the risk exposing it to a BYOD environment in the slightest.
     
  7. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,503
    Location:
    Canberra
    Pretttty confident that RACGP guidelines are pretty anti sending medical data anywhere - and even with the auditing and configuration review requirements - i wouldn't be doing it.
     
  8. OP
    OP
    bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,465
    Location:
    NSW
    The data is never stored on the device, just a glorified web interface with encryption. Having said that i am uncomfortable having to support every tom dick and harries devices, i'd rather just have it a company device with restrictions that is the same across the board. it makes my life way easier.

    And by medical, were not talking hospital data, more inhouse patient notes for the nursing staff, along with care requirements. yes i know not exactly not confidential stuff, but its more care plan type stuff. GIven the platform is one of the more widely used ones in the states and canada and is gaining a foothold here in australia, it does comply with relevant laws.
     
    Last edited: Feb 7, 2017
  9. timsarg

    timsarg Member

    Joined:
    Apr 27, 2006
    Messages:
    3,594
    byod does not work fullstop . I've seen it implemented in the WA education sector and it's a massive fail .


    Whatever idiot thought up this idea needs to be shot
     
  10. Skramit

    Skramit Member

    Joined:
    Oct 28, 2004
    Messages:
    3,178
    Location:
    Melbourne
    We tried it (large multinational) and it was a disaster. Impossible to support when things went wrong.

    Have gone back to iPhones but we let them choose the size and colour which makes people think they have a choice still.
     
  11. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,503
    Location:
    Canberra
    This all falls under similar guidelines. Its somewhat unregulated right now, but audits are using similar language to RACGP, which is using similar language to HIPAA.

    My general advice here is, treat it the same as HIPAA till $ becomes an issue - then get as close as you can.

    The platform means fuck all honestly. A platform really just needs user/group policy and security - along with auditing.

    External access is out of scope.
     
  12. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    52,063
    Location:
    brisbane
    and you're out.
     
  13. OP
    OP
    bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,465
    Location:
    NSW
    Given far larger Corporate groups then us (With revenue in the hundreds of millions) use this software as a way to give their nurses/care givers external access to this same data/program suite, care to elobarate, or do you just want to throw out wild assertions there with no basis?
     
  14. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    52,063
    Location:
    brisbane
    sorry read does as doesn't.
     
  15. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,503
    Location:
    Canberra
    Just because you can, doesn't mean you should.

    Having sat through and assisted compliance audits for NDIS and Medicare local - And knowing things like NSW FACS hadn't passed an audit in *years* and was about to be de-certified (causing a *massive* issue - given they are in the process of privatising a *ton* of services, it was somewhat embarassing they are forcing regulation on entities when they didn't meet the standard themselves) - just because bigger orgs use and get away with it, doesn't mean its right, or more importantly compliant.

    Always ask yourself, what is the cost of non-compliance, and how will that affect the business. Structure your implementation around the cost of non-compliance giving you an idea on what you're going to spend on actually complying.
     
    Last edited: Feb 7, 2017
  16. OP
    OP
    bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,465
    Location:
    NSW
    The other choice is giving people paper (IE the way it is now) which they take in their cars, and no doubt sits in their cars for days at a time, and that i can guarantee is probably thrown out into god knows where. Given the choice between uncontrolled paperwork with the same type of customer details on it and a "Device" which can at least be secured and remotely wiped, i know which is the lesser of the two evils. at least with a device, we can password protect it, encrypt it, wipe it if password guesses fails to many times, etc.

    I can't do that with paper.

    This situation applies to both BYOD + Corporate supplied devices. at least with android i can load the apps into the "work" space and just wipe that partition should an employee leave/get drunk and lose there phone or do a full wipe, regardless of byod/corporate supplied.
     
    Last edited: Feb 7, 2017
  17. bubblegoose

    bubblegoose Member

    Joined:
    May 18, 2007
    Messages:
    4,509
    Location:
    Molesworth - Tasmania
    Lay down the crack pipe mate. It does work... The last job I was at rolled out BYOD successfully at the start of last year. A bit of a rocky start, but now it's in full swing it's perfect. :thumbup:
     
  18. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,503
    Location:
    Canberra
    Yeah, but you're not assigned to manage physical security and company policy with regards to physical document handling.

    You *are* assigned to manage IT security, and ensure they meet their legislative and regulatory requirements.

    Also there is the volume of data potentially exposed, which needs to be considered.

    A phone contains potentially everything. Which physically wouldn't fit in a car in some/most circumstances.
     
  19. OP
    OP
    bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,465
    Location:
    NSW
    Ok,

    I think there is a bit of a misunderstanding here....

    I'll give a bit more on the business so as to paint a better picture.

    So the business i work for is in aged care (specifically in home care), the kinds of access the app will give is the schedule of where the staff member has to be and at what time, the name of who they are seeing and their care plan. The staff member can ONLY see what/who they have been assigned and even then its a very shortened text of the full patient notes.

    So basically a glorified scheduling app, with some patient notes.

    What also has to be taken into account is our area spans several Hundred square KM's and 70% of employees rarely visit an office.
     
    Last edited: Feb 7, 2017
  20. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,503
    Location:
    Canberra
    i'm not saying you can't do it.

    i'm saying that BYOD is dumb (because of a lack of control of the devices). I'm saying that just because you can, you probably shouldn't. I'm saying are you confident your App is secure. I'm saying a lot of things.

    Security always comes at a cost of convenience. The business needs to make decisions that will reduce security to enable convenience. They will do this better when they understand the risk - and the cost of non-compliance or a breach/leak.

    The vendor can give you guidance, however the vendor isn't going to be the one on the hook if you're non-compliant.

    Point in Case - almost every App vendor i've ever worked with that leverages SQL server, recommends you turn off the firewall on the SQL server.

    Is this best practice? fuck no.
    Is it even recommended? hell nah.
    Is it actually hard to create rules that allow the app to work without opening the servers sphincter to the universe? christ no.

    But by your logic, the Vendor said its ok, so what the fuck ever.
     
    Last edited: Feb 7, 2017

Share This Page