re: BYOD: Is Mobile Device Management The Answer?
It seems that even with your safeguards of SSL and IPSec (which both have their flaws and can by hacked/bypassed) and using RDP to access information, you're still at risk simply because of the mobile platform. One good example of this would be phones with NFC which can be infected by a known exploit to Android (as shown at Black Hat hacking conference this year) and other known exploits to various mobile OSes. Sure there's no data on the mobile device, but if you have control of the device then you have access to the remote data while logged in through that device. There's also the very real possibility of stealing the device and gaining temporary access until the access is turned off. For the most part, BYOD and mobile devices should stay away from medical records in my opinion... at least until there is a tested/trusted platform. The risks are too high, and the data is simply too valuable.
Information Week Contributor