I've have a couple of users who would like to read their email using their phone. To be honest, I don't want any of them to be able to do that. I mean, yes, I totally understand how convenient it would be. But we're in the "health" business so we have to make sure that we don't violate any stupid HIPAA security requirements. (Which is a bloody joke and a half since 'HIPAA' doesn't set any worthwhile specifics about their silly "security requirements". You can interpret the same "requirement" 8 million different ways but I'll bet if there's ever a lawsuit, the lawyers suing your company would happily "prove" that the method your company picked was "wrong".)
Anyway, I figure some day, I will be reluctantly forced enable mobile access. So I've got questions.
First, the data connection to the phone. I remember the old "Bearcat scanner" days where you could listen in to one side of the conversation to a mobile phone. (It was amazing yet disturbing how often you'd hear people setting up illicit liasons while their spouse was away too.) Does anyone know if the communication that takes place between the phone and the cell tower is encrypted in anyway?
Second, email messages on the phone. Is there a way to force the user to enter a password before he/she is allowed to view their messages? If so, how often do they have to enter their password? For each message or just once per "session", something like that? If they lose their phone, can just anyone pick it up and start reading previously read messages or is there a way to force the person to enter a password? Also, supposeI have a user who is pretty "cell phone" saavy but security stupid, is there a way they can save their password so they don't have to re-enter it? Is there a way I can prevent that? How are the messages stored on the phone? If someone had physical access to the phone and a USB data cable that would fit the phone, could that someone download the messages from the phone to their computer?
I'm not worried about the Exchange server configuration or certificates or what not. It's all the stuff that's beyond the control of the Exchange server that has me worried. Doctor Joe Dumbo who uses his phone exclusively to read his email in which, of course, he has discussions that include the patient's name, their birth date, their medications, their social security number (or, for our UK friends, their HMRC info), God-only-knows-what-else info, blah blah blah..
and, oopsie, Dr. Joe left his phone at a restaurant (he thinks.. maybe..) Or, um, oh, maybe it fell off at the golf course? Or, umm, hmm, maybe it rolled under the seat of his H3? Or (insert a hundred other scenarios here) whatever..
leaving us wide open for a nice fat lawsuit.
That type of thing.