Mandatory MDM in offices and laboratories - what does this mean in practice?
In its new IT security guideline, the Kassenärztliche Bundesvereiningung (KBV) stipulates that starting July 1, 2022, all large doctor's offices and laboratories must take increased security measures with regard to mobile devices. Specifically, this means, among other things:
'Before a doctor's office provides, operates, or deploys smartphones or tablets, a general policy must be established regarding the use and control of the devices.'
(Source: https://www.kbv.de/html/it-sicherheit.php ; 01/01/2022)
Consequently, for those physicians or laboratory operators who have not yet addressed this issue, the question is: how do I create such a policy and, most importantly, how do I apply it to the devices?
The solution to this challenge - as already anticipated - is offered by a mobile device management system (MDM).
The main function of an MDM is to manage mobile devices, for instance blocking unauthorized applications or defining fixed policies to ensure the security of mobile devices and also to initiate protective measures in case of emergency. This safeguarding can ensure that all data on a doctor's office's devices and network is always protected.
How can an MDM be operated in a doctor's office?
If you look at the infrastructure of a doctor's office or a laboratory, the differences to other companies are not that significant: there are managers, employees and technical devices that are operated.
With the help of the MDM software, all devices are first registered and receive the MDM app. This allows the software to communicate with the devices. Once this is done, security policies are assigned, apps can be installed, deleted or updated and much more! All the functions of an MDM can be found here.
Before security policies are applied, however, it must be determined what exactly is to be achieved. Only then does the concrete implementation via MDM begin.
However, as the KBV explicitly emphasizes, the IT security guideline now in force does not 'invent' any new specifications. Rather, existing ones, which originate from the GDPR, for example, are made more concrete for everyday practice.
This means that many of the requirements, such as the use of a secure browser, are already standard in most doctor's offices. Therefore, even when securing mobile devices with an MDM, you can follow these specifications and implement them with the help of MDM functions.
What risks do offices face without a mobile device management system?
As soon as a device has an Internet connection and is part of a network in which files and data are shared, it becomes more vulnerable to attacks.
Healthcare is a particularly popular target, as it stores a large amount of personal data that is valuable to attackers.
If the worst comes to the worst and personal data of patients or employees is lost or stolen, there is a risk of high fines. Not to mention the further consequential damage. We discuss the risks of unsecured healthcare devices in detail in this article.