Encrypt Your Customers' Mobile Devices
By The Business Solutions Network
This MSP migrated a nonprofit customer to a new encryption solution for its mobile devices.
Having customers that operate within heavily regulated markets raises the stakes when it comes to security. While we tend to think of HIPAA and the need to properly handle electronic protected health information (ePHI) when the topics of regulation and compliance are brought up, there are plenty of other situations where security stakes are high and data needs protecting. A good example of one such case can be seen with a recent project completed by I-M Technology for Madonna Place, a nonprofit family services organization located in Norwich, CT. The organization provides services designed to strengthen families, promote health, and prevent child abuse and neglect.
Stuart Bryan, CEO of I-M Technology, says Madonna Place has been a customer of his for more than 13 years. The organization has between 25 and 30 employees depending on the time of year, and approximately 20 percent of those users have laptops. “Staff are frequently out of the office, doing home visits and attending meetings at other agencies,” he says. “Their mobile devices contain case notes that must be secured. Because the mobile devices are being used for a variety of different state, federal, and local programs, you run into different regulatory and compliance requirements that change depending on the use of the laptop.”
The bottom line is that, regardless of the funding source, the data must be secured. While the data being stored doesn’t fall under ePHI, it is sensitive data. Failure to meet funding requirements can be costly. “We’ve heard of some nonprofits that had programs cancelled because they didn’t do something they were supposed to,” says Bryan. “If a nonprofit doesn’t meet a standard, they can lose funding, equipment, and staff.”
To secure the information being stored on the mobile devices, Bryan originally set Madonna Place up with a freeware encryption tool, TrueCrypt. However, a couple of years ago, the developers behind the product stopped development and stated that they couldn’t guarantee the product was safe to use going forward. “They didn’t release any specifics and, to my knowledge, no one has been able to hack it, but when the creators tell you it’s not secure, it raises big questions,” says the MSP. “We needed a new encryption solution that would ensure Madonna Place was in compliance.” Additionally, Bryan says that evaluating new paid solutions meant an opportunity to get one with an increased feature set over the freeware his customers had been using.
The MSP evaluated a variety of encryption solutions and ultimately selected Beachhead Solutions SimplySecure. “Not only does SimplySecure provide the level of encryption needed but the software provides the means to perform different actions depending on the situation,” says Bryan. “For example, if a machine is reported lost, we can simply remove the key. If the machine is found, we can unlock it without re-encrypting the whole thing.” A variety of policies was created to address things like failed logins, locking the computer, and how long until a machine goes to “out of contact” mode and is “unrecoverable.” While all of these policies can be adjusted for the client, Bryan says the configuration he chose is based on best practices the MSP has established.
In addition to setting policies, SimplySecure also allows I-M Technology to see the state of equipment, such as when it was last used and who has been logging in to the device. “As an MSP, there’s real value in being able to remotely see what’s going on with a user’s mobile device,” adds Bryan.
Setting up SimplySecure is as easy as running an executable on each machine. For the laptops that weren’t already encrypted using TrueCrypt, Bryan’s team was able to remotely install SimplySecure. He says this was the only challenge, as the decryption process took hours. For the machines running TrueCrypt, the MSP brought the laptops into his office to go through the process of decrypting them and installing SimplySecure.
Today, Madonna Place’s mobile devices are encrypted with SimplySecure, and all sensitive information is protected. Apart from the other benefits of the software already mentioned, Bryan adds that the software is nearly invisible to the end user. “You don’t want to create additional steps for users to access their devices,” explains the MSP. “Any time you increase complexity, you get resistance. You also make it more likely that users will use bad habits to make it easier for themselves.”
SimplySecure pricing is per device, per month. Beachhead gives bundles of licenses that can be distributed among customers, and marked up, however an MSP prefers. Like many services, the cost of this one item isn’t a considerable source of revenue. “I don’t consider this a revenue stream for our company,” says Bryan. “We use it because it’s better protection for our customers and because it gives us visibility and the ability to manage remotely. That’s very important to our profitability as an MSP and makes the solution valuable to us.”
Bryan says the need for encryption is everywhere, even where you wouldn’t expect it. For example, the MSP is currently preparing to roll out SimplySecure to a client that’s adopting new EHR (electronic health record) software. “Even though the software is cloudbased and they tout the high security of the data, the software has a bad habit in that if a user opens PDF-based patient documents, the PDF file is cached/ downloaded to the computer. When the user closes the file, it isn’t deleted,” he explains. “It’s actually less secure because every workstation using it will be storing ePHI.”