Addressing security requirements for hospital iPad use

As hospitals roll out iPads, security remains a concern. Whether the devices use native or virtualized applications, there are several best practices for hospital iPad use.

The biggest concern that health IT professionals have about hospital iPad use is arguably security -- both of the devices themselves and of the protected health information viewed (and sometimes stored) on the devices. Whether hospitals opt for native or virtualized iPad applications, there are several security best practices they should consider. 

Boston's Beth Israel Deaconess Medical Center has been using computer technology since the 1960s. Before the iPad came along, physicians and nurses used desktops and laptops to access a browser-based electronic health record (EHR) system (WebOMR), computerized physician order entry system (CPOE) and a number of other applications. When it came to extending these systems to iPads, Beth Israel allocated Web access to these applications with virtual desktop extensions to iPads. Once users log in with a username and password, the iPad becomes their virtual desktop.

More resources for hospital iPad users

More from this author: Preparing network infrastructure for hospital iPad use

In choosing EHR for iPad, consider native, virtualized, hybrid options

Top enterprise iPad questions facing IT: Management, apps and security

Mobile device security best practices for BYOD

The Ottawa Hospital, meanwhile, took a different route. Instead of rolling out a virtualized environment to allow physicians to use personal iPads to access EHRs, Ottawa Hospital purchased thousands of iPads for its clinicians and hired software developers to write native applications, in the process creating a secure portal between the hospital's EHR system and the iPads. This means that data may be downloaded on to the iPads and may have to be erased when devices are switched off or leave the hospital campus.

Keeping these two different ways of rolling out hospital iPad use in mind, a combination of the nine following security requirements are typically deployed.

Username, password login. If your hospital iPad use includes virtual desktop environments, you may already need a username and password to get the virtualized system started up. When hospitals are using native applications, they still need access to back-end servers. These need to selectively download data that is needed by an app and delete it when done. Native apps also need username and password logins to make them as secure as virtualized rollouts.

Role-based login. Not all applications may need to be accessible to all users in a hospital. Role-based logins may be already set up on iPads being used in a virtualized environment. When using native apps, they may need to be designed and implemented within the apps themselves.

Copying, printing control. Since it is possible to copy and even print data from medical records in iPads, some level of control is needed. Again, role-based access control can be used on iPads to enforce this security measure. Users are assigned roles as clinician, nurse or hospital administrator; their roles, in turn, can permit them to copy or print at the data level.

Encrypted data transmission. Virtualized desktop environments may already have 128-bit, built-in encryption of any communication, including data to and from iPads. If native applications are developed for hospital iPad use, then those apps may need to implement this level of encryption when communicating with servers.

Both iPads and iPhones support remote autolock so that the devices themselves may be locked if lost, misplaced or stolen.

Isolated special subnetworks. When using tethered computers such as laptops and desktops, administrators usually have better visibility, control, network speeds and service levels. Mobile devices such as iPads may need isolated special subnets, meant only for them. It may also be necessary to track where the devices access the network, for the sake of iPad security as well as performance -- mobile devices are subject to differing signal strengths, and certain signals may not provide the bandwidth needed to use certain applications.

Remote wiping capabilities. Virtualized desktop roll outs may or may not make use of local storage.  Native apps may invariably use local storage, even if it's only for temporary download of medical data. In either case, mobile data protection best practices suggest that iPads may need to be remotely wiped when they are switched off or wander off from the main campuses where access is allowed. In addition, if iPads are lost, misplaced or stolen, the same remote wipe capability may be needed.

Remote autolock. Both iPads and iPhones support remote autolock so that the devices themselves may be locked if lost, misplaced or stolen. They also require long pass codes to reactivate when located again. All data can be erased automatically after 10 failed attempts at entering the pass code. Before iPads (whether they are owned by clinicians or supplied by the hospital) are rolled out, they may all need to be registered with the hospital and have this feature enabled.

Authentication mechanisms. Additional authentication mechanisms may need to be implemented, using technology such as real-machine identification and a hospital-assigned, machine-specific ID that is given to a clinician. With both types of IDs, the iPad will be allowed to access the network. This is an additional security precaution to make sure that an iPad is really the iPad it says it is and, on top of that, to ensure that the user is also authenticated.

Additional anti-virus protection. Even though anti-virus protection is not available on iPads per se, additional standardized anti-virus/malware protections may be needed on the server side when iPads are rolled out. This may be true for both virtualized or a native app roll out.

Doctors and nurses have started bringing their own Apple iPads into the hospital -- and demanding access to hospital applications on them. However, iPads pose many security problems. Hospital IT departments are responding in two main ways -- virtual desktop deployment or customized native iPad applications. Many hospital systems are also finding that security precautions can be enumerated and implemented in a systematic way. The additional time, effort and resources spent on these security requirements seem to be a small price compared to the benefits that clinicians seem to be reaping from the hospital iPad use. 

Nari Kannan is currently the Chief Executive Officer of appsparq Inc., a Louisville, Kentucky-based mobile applications consulting company. Nari has over 20 years of experience in information technology. He can be reached at nari@appsparq.com. You can also contact @SearchHealthIT on Twitter.

This was first published in February 2012

Dig deeper on Electronic medical records security and data loss prevention

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

-ADS BY GOOGLE

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close