To allow or not to allow personal smartphones and other mobile computing devices into the healthcare setting? That's one thought becoming less of a question and more a reality check as bring-your-own-device (BYOD) initiatives become imperative for CMIOs and IT departments. It's no longer an option, Jason W. Zeller, director of information security and risk management at Kaiser Permanente, said during an April virtual event hosted by the Healthcare Information and Management Systems Society (HIMSS). Zeller noted that healthcare market adoption of smartphones is projected to be 68 percent by 2015, up from 12 percent in 2008.
Smartphones aren't the only devices getting in the healthcare game. Manhattan Research purported that physician tablet adoption for professional purposes reached 62 percent in 2012, with the iPad being the dominant platform. In addition, one-half of tablet-owning physicians have used their device at the point-of-care, researchers found.
Secure the weakest link
As new generations of physicians grow into their careers with mobile technology, the point of no return of wholly controlling devices may already be past. "BYOD is here to stay," says John Halamka, MD, CIO, CMIO, Beth Israel Deaconess Medical Center (BIDMC) in Boston, where 1,000 corporate Blackberries exploded into 3,000 personal mobile devices over which he has limited control. "CMIOs need to accept the reality of BYOD and actively put in policies and technology controls to prevent these devices from accessing your network and from becoming your weakest link—that point of failure that breaches privacy."
So far, there's significant support for BYOD. At the end of 2011, 41 percent of responding HIMSS member organizations backed personal mobile devices owned by the end user for daily work activities, says Edna Boone, MA, senior director of mHIMSS, which is a HIMSS initiative focused on the adoption of mobile and wireless technology in the healthcare setting. "We expect that number to go up astronomically in the coming years."
With adoption increasing, the security of such devices must be questioned. "If you are accessing clinical information on a personal device, the last thing you would want is a keystroke logger or other malware sending your personal device data to an unauthorized third party," says Halamka. Confusion can surface on the appropriate use of consumer devices compared with devices designed specifically for corporate purposes. Gaming is a significant source of malware and any corrupt personal apps have the potential to compromise clinical data. A physician with a personal mobile device could unwittingly download an application not intended for clinical use, yet still reap the consequences of the malware.
Policies and procedures are necessary when handling BYOD, says Boone, including how long clinical data can reside on a device, whether data can be remotely wiped if the device is compromised and whether the organization allows for downloading data to the device or just accessed through a viewing portal. Establishing the final word on these kinds of issues ensures that end users and administrators are on the same page and expectations are clear.
For example, physicians who receive email through their phone or tablet at Southern Illinois Healthcare (SIH) in Carbondale, Ill., must sign an agreement before being allowed to access a firewalled network through their personal devices. The agreement instructs them how access is granted (which can be revoked at anytime) and they are to treat the data as secured data, says Nathan Phoenix, manager of infrastructure systems at SIH. If a device is compromised, stolen or lost, it can be remotely wiped. Yet, Phoenix notes that the devices act as a remote desktop connecting to tools like EMR and PACS in which no data are stored.
Phoenix says that one of the main drivers leading SIH to grant mobile access to physicians was the physicians themselves. Ali Youssef, PMP, wireless solutions architect at Henry Ford Health System (HFHS), agrees, saying the demand for ubiquitous mobility throughout the Detroit-based system helped drive adoption of BYOD.
In 2011, HFHS launched the iComply campaign, a cyber best practices crusade using encrypted media (flash and hard drives), anti-virus enforcement and mobile device registration. Taking a phased approach to BYOD, the provider currently ensures users have passwords and is making strides toward encrypting an initial 1,600 iOS and Android devices. Long-term