BEST PRACTICES: DEPLOYING SPOK MOBILE WITH ENTERPRISE MOBILITY MANAGMENT. spok.com

Transcription

1 SM BEST PRACTICES: DEPLOYING SPOK MOBILE WITH ENTERPRISE MOBILITY MANAGMENT 1

2 DEPLOYING SPOK MOBILE WITH ENTEPRISE MOBILITY MANAGMENT Scalability and adoption are significant challenges that IT professionals face as they plan to implement secure text messaging in healthcare. IT pros need ways to deploy the client application to clinical users, manage security settings and report on the environment at scale. Enterprise Mobility Management (EMM) tools can help IT achieve scalable deployments and manage large populations of users. This best practices guide outlines important steps to consider when using EMM to deploy and manage Spok Mobile, Spok s secure text messaging solution. KEY CHALLENGES IT pros need a way to deploy secure text messaging at scale. Without a way to scale quickly, IT teams are not be able to build a user base fast enough to ensure adoption of the service. As IT pros implement secure text messaging and position it as a way to securely send PHI, they must also consider device-level security settings. Without a way to configure device-level security settings, such as encryption and passcodes, sensitive PHI could be exposed and HIPAA safeguards could be violated. As IT pros deploy secure text messaging, there is a need for device-level reporting. Without an inventory of devices, applications and settings, IT cannot validate HIPAA compliance or gather data needed to adequately troubleshoot incidents. BEST PRACTICES Where applicable, IT pros should plan to use EMM tools to deploy the secure text messaging client app to users. Deployments should be targeted to the appropriate populations and the app should be distributed via the deployment channel that is appropriate to each population. IT pros should plan to use EMM to configure and report on device-level security settings to safeguard sensitive HIPAA data on managed devices. IT pros should create and automate reports to show compliance, progress and status of all managed devices that are using secure text messaging. 2

3 TABLE OF CONTENTS INTRODUCTION... 4 WHY USE EMM TO DEPLOY AND MANAGE SPOK MOBILE?... 4 PRE-REQUISITES AND EXCEPTIONS... 5 IDENTIFYING YOUR TARGET AUDIENCE... 6 PREPPING THE DEPLOYMENT AND CONFIGURING SETTINGS... 6 DEPLOYING SPOK MOBILE... 7 REPORTING ON DEPLOYMENTS... 7 REPORTING ON STATUS AND COMPLIANCE... 8 MANAGING OS AND APPLICATION UPGRADES... 8 REMOVING/UNINSTALLING SPOK MOBILE... 9 BYOD AND PRIVACY CONSIDERATIONS... 9 CONCLUSION

4 INTRODUCTION Scalability and adoption are significant challenges that IT professionals face as they plan to implement secure text messaging in healthcare. IT pros need ways to deploy the client application to clinical users, manage security settings and report on the environment at scale. Enterprise Mobility Management (EMM) tools can help IT achieve scalable deployments and manage large populations of users. Below is a list of high level steps involved in deploying and managing Spok Mobile via EMM. Each of these will be reviewed in detail throughout this guide. Identify the target audience Prep the deployment & configure settings Deploy Spok Mobile Report on the deployment Report on status & compliance Manage OS & app upgrades Remove Spok Mobile TERMS TO KNOW Enterprise Mobility Management (EMM): Gartner states that Enterprise mobility management (EMM) suites consist of policy and configuration management tools and a management overlay for applications and content intended for mobile devices based on smartphone OSs. They are an evolution from previous-generation mobile device management (MDM) products that lacked application and content management. IT organizations and service providers use EMM suites to deliver IT support to mobile end users and to maintain security policies. Mobile Device Management (MDM): MDM is the part of an EMM suite that deals with managing the device with Configuration Profiles, such as configuring Wi-Fi, and VPN, and configuring security settings and restrictions on the device. WHY USE EMM TO DEPLOY AND MANAGE SPOK MOBILE? Before proceeding with a Spok Mobile implementation, it is important to decide how the client application will be deployed. If scale is a factor, EMM should be considered. EMM tools can enable IT to mass deploy the client application and/or make it available in an enterprise App Catalog across the organization. This can enable IT to quickly distribute the the Spok Mobile client application and build a user base. This is important because, when it comes to messaging applications, a large user base is critical to adoption. In addition to enabling deployment at scale, EMM can allow IT to enforce security settings at the 4

5 device OS level, which are important for maintaining HIPAA compliance. The inventory within an EMM database can be used to verify compliance, show app adoption and usage, and provide useful data for troubleshooting. EMM can also be used to manage updates to the OS and the app, limiting issues that may occur during upgrades. EMM can be used to remove/uninstall Spok Mobile when users lose a device or when employment is terminated, which is also an important security consideration. For all of these reasons, EMM is an excellent choice for deploying and managing Spok Mobile. PRE-REQUISITES AND EXCEPTIONS Before you plan to use EMM to deploy and manage Spok Mobile, there are pre-requisite and exceptions that must be considered. Each device must first be enrolled and managed by EMM. In most healthcare environments, not all devices will be managed; therefore, IT may need to use a multi-tiered deployment strategy. For devices that are managed, using the EMM tool to deploy Spok Mobile can be a great choice. For those that aren t yet managed (often many BYOD devices and/or devices that do not require access to hospital applications or ), IT will need to assess whether to bring them into management before allowing the use of Spok Mobile, or to allow Spok Mobile to be registered on unmanaged devices. If it is decided that some users will be allowed to register for Spok Mobile on unmanaged devices, it will be important to carefully consider the security and management needs, to configure security settings at the app level and to enforce usage with policy. If EMM is not used to deploy and manage the app, Spok Mobile will need to be installed from the AppStore and security settings will need to be configured within Spok Mobile Admin. When supporting Spok Mobile on unmanaged devices, it is recommended that IT considers processes and policies to support access codes, remote wipe, access management and reporting at the app level. See the Spok Mobile Admin guide for details on how to configure these settings. The table below shows a comparison of how to security settings can/should be managed at the app level vs at the OS level with EMM. SPOK MOBILE SECURITY FEATURE EMM SECURITY Messages Encryption Full OS App-level Passcode enforcement Device-level Messages Remote wipe Full device Messages Containerization Apps App mgmt User and access mgmt Device mgmt Message data Reporting Device data 5

6 IDENTIFYING YOUR TARGET AUDIENCE The first thing that IT pros need to do before developing a deployment strategy for Spok Mobile is to identify the target audience. Who will be using Spok Mobile? Or better yet, who is using a mobile device to transmit PHI and/or sending messages within important clinical workflows? It is considered a best practice to implement Spok Mobile in phases and to plan out those phases at the beginning of the project. Some hospitals choose to focus on physicians first. Some choose to focus on specific departments and deploy the solution by both role and department. Others (considered a best practice) choose key workflows. Decide who will get Spok Mobile and create a Smart Group within the EMM tool for the target population of users. Use the EMM inventory to plan your deployment and target the right groups. You may even want to use the EMM inventory to target devices that fit a certain compliance profile. For example, target devices that are already encrypted or devices that have an EMR app installed (as this population is likely to be transmitting PHI). PREPPING THE DEPLOYMENT AND CONFIGURING SETTINGS Once the target audience is isolated and Smart Groups have been built to scope to, reports should be generated from within the EMM tool to gain an understanding of the profile of all applicable managed devices. IT pros should make sure that all devices in question are supported by Spok Mobile, that they are in a state will allow the app to be installed, and that they are complaint with security standards. What type, model and OS are the devices running? Do any fall outside of what is compatible with Spok Mobile? How much free storage and memory are on the devices? Are there any devices that don t have enough space? Are the devices already encrypted and passcode protected? Are any considered non-compliant? If any fall outside of recommended standards, the users should be notified to make changes and/or MDM configuration profiles be applied accordingly. Before deploying Spok Mobile to devices via EMM, IT should make sure that all devices are compatible, that they have space for the application and that all devices have the following security settings configured, at a minimum: Require passwords Require password timeouts (15- minute maximum) Require password retries (10 maximum) Encrypt all devices Consider restricting dication (to prevent nonsecure keyboard dictation) Blacklist known malware In addition to security enforcement and restrictions, it can also be a good idea (depending on the wireless infrastructure in place) to manage wireless certificates and verify/configure Wi-Fi settings for users before deploying Spok Mobile, making sure that users are connecting to preferred SSIDs. Also, before deploying Spok Mobile via EMM, it is highly recommended that all person, department and contact data should be populated in the Spok database (manually, or via data feeds). This will expedite 6

7 that process for registration once you deploy the application. DEPLOYING SPOK MOBILE Once all pre-requisites have been verified and the environment has been prepped, Spok Mobile can be deployed. The app can be deployed using mobile OS vendor deployment programs, like Apple s Volume Purchasing Program (VPP) through the App Store, or by using one of the MDM builds that Spok provides: here. Find the supported EMM vendor and upload the.ipa files for ios and Android to the EMM/MDM server. Once uploaded, scope the deployment of the app to the Smart Group(s) that contain(s) the target audience. Where applicable, it is recommended that the app is deployed as a managed app, so that it can be removed later via an enterprise/selective wipe, if needed. The IT admin will need to decide whether to silently deploy the app to the target devices/users or to make it available in an App Catalog (note that using some methodologies for deploying the app will require the user to have a Apple/Google ID with a defined username, password and associated credit card). It is recommended to use an App Catalog if users are already familiar with using one, as this will be more aligned with the registration workflow required by Spok Mobile. Here is the recommended deployment workflow: Upload Spok Mobile builds to the EMM server. Scope the deployment to the target audience, based on the inventory. Deploy managed app via the App Catalog or silently install. Register users in the Spok database in-line with an overall rollout strategy. Instruct users to complete the registration process within the app. Once the app has been deployed, new users who fit the target audience profile should also be automatically added to Smart Groups for the app to be deployed to them. For example, when a device enrolls into MDM to gain access to or an EMR app, the secure texting app should automatically be available for the user via a silent install or for download from the enterprise App Catalog. REPORTING ON DEPLOYMENTS Once the application has been deployed, the EMM and Spok Admin tools can be used to report on the status of the deployment. Build a Smart Group in the EMM database that contains all devices that have Spok Mobile installed. Make sure to include the app version, OS version, device model and type, available resources on the devices (memory, storage, etc.), and compliance settings (encryption, passcode, etc.). This report will be used to report on device status and compliance and will also show how widely the app has been deployed. The devices in this smart group will represent the scope of your deployment and version adoption. To find out how many users are actually registered, you ll need to use the Spok Mobile admin tool. Run a report to show only devices with active registration and that 7

8 count will represent the actual adoption rate of the deployment (how many users have completed registration within the mobile client). REPORTING ON STATUS AND COMPLIANCE The Smart Group created to measure adoption should be used for ongoing reporting of device status and compliance. Including device status attributes - such as OS version, memory, storage, model, free space, and storage capacity - can be excellent sources of data for troubleshooting issues. For example, if some users are experiencing issues with not receiving notifications via Spok Mobile, filtering on some of the device model or OS version could show trends that could lead IT to a root cause. The report should also be used to identify any devices that have Spok Mobile installed but fall out of corporate compliance. Filtering on devices that do not have a passcode enforced or devices that are not encrypted can reveal non-compliant devices, for example. In addition to this Smart Group, it can also be advantageous to build a few Smart Groups to automatically enforce specific compliance settings in an actionable way. For example, build a group of devices with Spok Mobile installed, but no passcode enforced and then build an MDM Configuration Profile and scope it to the group to automatically enforce a passcode on those devices as soon as they check in and are identified as noncompliant. MANAGING OS AND APPLICATION UPGRADES The MDM profiles available for mobile devices do not allow IT to block OS upgrades. This is for a good reason. Upgrades are pushed out to fix issues like security vulnerabilities and should always be applied immediately, so it is not a good best practice to attempt to block these updates. While it is considered a best practice to allow updates, that does not mean that IT should not oversee and manage the upgrade process. Before any app or OS updates, IT should test beta new versions and identify any versions used in their environment that are not compatible. The EMM inventory should be used to identify any devices that fit a profile that may be considered non-compatible. For example, if an OS update causes devices to revert back to require users to re-register with the Spok Mobile app, IT should identify OS and app versions impacted by that. Then, a Smart Group should be built to isolate those devices and a notification should be sent to all impacted users to proactively provide them with instructions for how to manage the upgrade. Reporting can also be used to identify users who have completed a recent upgrade so that IT can follow up and communicate. 8

9 REMOVING/UNINSTALLING SPOK MOBILE When a user loses a device or leaves the organization, IT will need to remove the content within the Spok Mobile application, as it could be sensitive in nature. The best practice when using EMM is to uninstall/remove the app from the device and immediately unregister the user in the Spok database. Unregistering the device will ensure that IT retains licensing and that users cannot re-download and access content within the app. If a user does have Spok Mobile on an unmanaged device, it is recommended that Spok Mobile Admin is used to remotely wipe messages and registration is removed from the Spok database. If a user does leave the organization, it is recommended that Spok Mobile is removed as part of a enterprise/selective wipe (requires that the app was deployed as managed) and that registration is removed from the Spok database. When users leave the organization, a data feed should also be used to automatically remove the user s profile from the Spok database, to prevent the record from showing in searches and remove all access. BYOD AND PRIVACY CONSIDERATIONS Using EMM to deploy Spok Mobile can cause some issues with end user adoption, particularly for users who do not want to install MDM profiles on their personal devices. Some users view Mobile Device Management as what they refer to as Big Brother. Some users don t want attributes about their device to be discoverable. Some of these users may refuse to enroll in the hospital s BYOD program or into MDM. For these users, IT may want to consider using the security features built into Spok Mobile and to bypass MDM. Or, the use of MDM may need to be strictly enforced via policy. Some BYOD users may also see secure texting as an invasion on their personal lives. They may perceive the app as mixing work with their private lives and having discoverability features. In reality, secure text messaging can benefit BYOD users in many ways. It is very important to proactively address how secure text messaging can benefit BYOD users before users begin expressing concerns. Spok Mobile does not have any access to the native OS (without MDM), keeps user phone numbers private, keeps work and personal messages separate, and allows users to put themselves on an unavailable status when they are not on duty. These, amongst many other reasons, can give BYOD users the understanding and incentives they need to accept the use of secure text messaging on their personal device. See Spok s best practices guide on BYOD and Secure Texting for more information on how to communicate and educate your end users on this topic. CONCLUSION Ultimately, Enterprise Mobility Management can help IT to deploy, secure and manage any mobile 9

10 application. It is important to include Spok Mobile as a service available within the hospital s mobile IT service portfolio and to follow the standards that are already in place for app deployment and management (if applicable). The purpose of this guide is not to replace any processes or best practices that are already in place for app deployment and management, but rather to compliment those processes and provide guidance to organizations who have less mature processes in place. By following the best practices outlined in this guide, IT pros can leverage EMM to more easily scale and sustain deployments of Spok Mobile. EMM can help produce a faster rate of adoption, streamline workflows, increase security and reduce incidents. Spok also offers comprehensive consulting services for organizations that need further assistance with deployment and management of Spok Mobile. If you are interested in more information on best practices, please reach out to your Spok sales representative to inquire about these services. 10