Guide: Securing patient data while promoting BYOD in healthcare
A comprehensive collection of articles, videos and more, hand-picked by our editors
The mobile world is awash with devices running on at least four major operating systems. The variations spanned by these systems can complicate already muddled bring-your-own-device policies. But with a lot of planning and the right technology, healthcare providers can allow staff to use their own smartphones and tablets safely and securely.
Clinicians primarily used Blackberry devices until a few years ago, regardless of whether the phones were purchased by the employee or the organization. The use of a single Blackberry enterprise server made it relatively simple for IT departments to support these devices. But everything changed when consumers started migrating to iPhones and smartphones running the Android operating system, and clinicians began using their personal devices for work tasks. Organizations' Blackberry enterprise servers could not support these devices, which meant the IT department had less control over the security of devices brought in by employees.
Enter mobile device management software
In response to these challenges, many organizations have implemented mobile device management (MDM) software, which is typically a server component that controls mobile device access. Doug Lauterbach, assistant vice president of technology at Jefferson Parish, La.-based Ochsner Health System, said his organization uses an MDM system to ensure the devices of employees who participate in bring your own device (BYOD) are password-protected and encrypt data.
MDM allows us to lock down what we need and to enforce our policies and not let users opt out of it. If we didn't have a mobile device strategy we wouldn't let Android and iOS access our system.
assistant vice president of technology, Ochsner Health System
He said Ochsner's BYOD policy wouldn't be able to allow staff to use iPhones or Android devices if it weren't for MDM software because they are more open environments than Blackberry, and it would be impossible to guarantee appropriate security protocols.
"MDM allows us to lock down what we need and to enforce our policies and not let users opt out of it," he said. "If we didn't have a mobile device strategy we wouldn't let Android and iOS access our system."
Chris Belmont, Ochsner's system vice president and CIO, added that the MDM system lets him "get out of the device business." Helping employees to securely use their own devices at work means the organization no longer has to provide smartphones for their staff. This gives the organization greater flexibility and helps avoid problems, such as fights over who owns a wireless phone number after an employee moves on, or the fact that employees' tenure at the health system rarely proceeds at two-year intervals, the standard term for wireless contracts.
BYOD policies still come first
Simply installing an MDM system won't solve all of an organization's BYOD problems. Ed Ivone, corporate director of networking and telecommunications at Detroit, Mich.-based Henry Ford Health System, said the technology does play a key role in an organization's ability to manage devices running various operating systems. But a health system needs to know what devices it wants to support and what security procedures it wants to enforce before selecting and implementing a system.
Because MDM software turns a number of device controls over to the IT department, staff must consent to enroll their device. Therefore, policies should clearly spell out the terms of enrollment, including the security settings that will be changed, what kinds of applications will be restricted, and what happens in the event the device is lost or stolen. Employees also need to understand what happens if they decline to enroll their device. At Henry Ford Health System, employees who do not enroll their devices are limited to guest access, which diminishes the benefit of bringing their own device.
"I really feel that I can control and manage those devices, but when we're talking BYOD, I can't force you to enroll and allow me to manage the device," Ivone said. "I can only say, 'If you do it, here's the benefit to you, and if you don't do it, you get basic access.' Managing the devices isn't really a problem, it becomes a policy issue."
IDC Health Insights analyst Lynne Dunbrack said purchasing and implementing an MDM system before setting BYOD policies could ultimately be wasteful.
"If [hospitals] don't set the policy first and buy the tools, they may find that they have tools that don't support the policy," Dunbrack said. She added that policy planning should take place as early as possible in the BYOD implementation process.
Keep an eye to the horizon
IT managers should continually keep an eye out for new devices that may run operating systems that are not supported by their existing infrastructure. Ivone said he worries about young clinicians coming out of school who are more technologically plugged in than older employees. They may be the most likely to show up at the hospital looking to use a device that IT systems are not prepared to support.
Belmont said people asked for IT support on hospital networks for the iPhone 5 on the same day it was released. Windows phones could complicate things further. No one at Ochsner has yet asked for support for these devices, but the operating system is different enough that it's unclear whether the health system's MDM software would support them. Lauterbach and his co-workers are already working on putting together a list of devices that Ochsner's MDM system supports and those it doesn't.
"We don't need to find out after the fact when somebody goes out and buys a new device and they bring it to me and I say, 'It doesn't work,'" Lauterbach said.