Buckle Down On Bring Your Own Device

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon
 - locked-up device

To allow or not to allow personal smartphones and other mobile computing devices into the healthcare setting? That's one thought becoming less of a question and more a reality check as bring-your-own-device (BYOD) initiatives become imperative for CMIOs and IT departments. It's no longer an option, Jason W. Zeller, director of information security and risk management at Kaiser Permanente, said during an April virtual event hosted by the Healthcare Information and Management Systems Society (HIMSS). Zeller noted that healthcare market adoption of smartphones is projected to be 68 percent by 2015, up from 12 percent in 2008.

Smartphones aren't the only devices getting in the healthcare game. Manhattan Research purported that physician tablet adoption for professional purposes reached 62 percent in 2012, with the iPad being the dominant platform. In addition, one-half of tablet-owning physicians have used their device at the point-of-care, researchers found. 

Secure the weakest link

As new generations of physicians grow into their careers with mobile technology, the point of no return of wholly controlling devices may already be past. "BYOD is here to stay," says John Halamka, MD, CIO, CMIO, Beth Israel Deaconess Medical Center (BIDMC) in Boston, where 1,000 corporate Blackberries exploded into 3,000 personal mobile devices over which he has limited control. "CMIOs need to accept the reality of BYOD and actively put in policies and technology controls to prevent these devices from accessing your network and from becoming your weakest link—that point of failure that breaches privacy."

So far, there's significant support for BYOD. At the end of 2011, 41 percent of responding HIMSS member organizations backed personal mobile devices owned by the end user for daily work activities, says Edna Boone, MA, senior director of mHIMSS, which is a HIMSS initiative focused on the adoption of mobile and wireless technology in the healthcare setting. "We expect that number to go up astronomically in the coming years."

With adoption increasing, the security of such devices must be questioned. "If you are accessing clinical information on a personal device, the last thing you would want is a keystroke logger or other malware sending your personal device data to an unauthorized third party," says Halamka. Confusion can surface on the appropriate use of consumer devices compared with devices designed specifically for corporate purposes. Gaming is a significant source of malware and any corrupt personal apps have the potential to compromise clinical data. A physician with a personal mobile device could unwittingly download an application not intended for clinical use, yet still reap the consequences of the malware.

Policies and procedures are necessary when handling BYOD, says Boone, including how long clinical data can reside on a device, whether data can be remotely wiped if the device is compromised and whether the organization allows for downloading data to the device or just accessed through a viewing portal. Establishing the final word on these kinds of issues ensures that end users and administrators are on the same page and expectations are clear.

For example, physicians who receive email through their phone or tablet at Southern Illinois Healthcare (SIH) in Carbondale, Ill., must sign an agreement before being allowed to access a firewalled network through their personal devices. The agreement instructs them how access is granted (which can be revoked at anytime) and they are to treat the data as secured data, says Nathan Phoenix, manager of infrastructure systems at SIH. If a device is compromised, stolen or lost, it can be remotely wiped. Yet, Phoenix notes that the devices act as a remote desktop connecting to tools like EMR and PACS in which no data are stored.

Phoenix says that one of the main drivers leading SIH to grant mobile access to physicians was the physicians themselves. Ali Youssef, PMP,  wireless solutions architect at Henry Ford Health System (HFHS), agrees, saying the demand for ubiquitous mobility throughout the Detroit-based system helped drive adoption of BYOD.

In 2011, HFHS launched the iComply campaign, a cyber best practices crusade using encrypted media (flash and hard drives), anti-virus enforcement and mobile device registration. Taking a phased approach to BYOD, the provider currently ensures users have passwords and is making strides toward encrypting an initial 1,600 iOS and Android devices. Long-term strategies for BYOD policy enforcement include anti-virus enforcement where the devices can scan for viruses and role-based network access and service provisioning.

Ready…Set...Assess

As clinical administrators share their experiences, it's clear there is no silver bullet for best practices. Because these personal devices are being used for clinical care, part of the change management challenge is balancing work and life, says Youssef. "We're in the initial phase. You need to approach [BYOD] systematically. You can't enforce unrealistic policies."

HFHS is not alone in exploring best practices. According to a December 2011 mHIMSS survey on mobile technology, 41 percent of respondents noted that federal policies and regulations relating to mobile technologies and devices are considered as organizations explore potential policies. Thirty percent indicated their organization is in wait-and-see mode, while 10 percent said their organization is being forced to develop a policy for the first time as a result of federal policies and regulations.

Policies may differ by organization, but Tony S. Reed, MD, MBA, CMIO of AtlantiCare in Atlantic City, N.J., suggests a readiness assessment as a good start. "You have to make sure practitioners are ready for both the technology and for the security processes and protocols that come with the technology," he says. Having a physician say he or she wants the ability to use his or her personal mobile device for viewing patient lists is not as simple as the reality of the security protocols. Reed asks physicians if they are prepared to lockdown the device to restrict third-party software downloads, if they are comfortable with five-minute lockouts requiring the need to enter a network password and can they handle a program time-out function with a separate password. "People usually respond, 'No, I just want to push a button and have clinical information there,' which is not the way it works; it's not that simple," he says.

This method is still faster than physically entering the hospital, finding a computer, booting up the program, entering a password and pulling up a patient list, Reed notes, but physicians need to understand while mobile access to healthcare data is faster, it's not instantaneous. "There needs to be a cultural understanding that if you are going to use a personal device to access corporate data, it comes with certain restrictions and controls," says Halamka.

AtlantiCare is in the process of exploring BYOD platforms and ensuring appropriate software is in place to enforce encryption and maintain corporate standards. From aligning device expectations between medical and IT departments to assuaging security concerns, Reed says organizations must build a roadmap. The organization already has deployed 200 devices to senior executives, and Reed estimates that the conversion to BYOD will occur within six months to a year.

AtlantiCare isn't the only organization diving into the regulatory morass. A consulting firm is conducting an omnibus security audit of BIDMC this summer to determine the institution's adherence to best BYOD practices, says Halamka. In addition, BIDMC will look into technical enforcements to drive BYOD policies. One pilot will restrict access to corporate email unless the Android phone or Apple device is encrypted and password-protected. The organization also will explore adaptive authentication, a feature that creates a risk profile of someone trying to access data.

Concern about security and mobile devices is well-founded. An April report from technology services provider CDW found that 25 percent of 654 IT professionals surveyed experienced data loss in the last two years, while the number of people accessing organizational networks increased an average of 41 percent during the same time period. Thus, expect to see a host of new security tools for smartphones. One such product to be tested at BIDMC creates secure containers on a smartphone, says Halamka. This type of product in a sense could divide a smartphone's corporate memory space and a personal memory space to avoid cross-contamination.

While organizations continue to work towards best security practices, it's often a journey with no finish line. Hoping to increasingly improve over time in the face of evolving security risks given fixed resources and time, organizations should strive to do their best while continually looking forward.