Why BYOD Doesn't Always Work In HealthcareSecurity and screen layout problems make it difficult to let
clinicians bring their own tablets and smartphones to work.
Physicians love their mobile devices and are putting increasing demands on IT organizations to connect their iPads and iPhones to the hospital and office systems. But the bring-your-own-device (BYOD) movement has its downside.
In a recent conversation with Mike Restuccia, CIO and VP at Penn Medicine--which includes 3 hospitals and about 2,200 physicians--we discussed two concerns: Poor screen layout and security.
Penn uses EpicCare EMR on the ambulatory side and Allscripts Sunrise Clinical Manager for inpatient nursing documentation and CPOE. When the Allscripts program appears on a desktop computer at a nurse's station, all the data shows up on one screen, so there's no scrolling and no hidden data. But when you use the Allscripts EHR on the iPad, "the data doesn't fit, so there's scrolling required, and some hunting and pecking required," Restuccia said. "That has our patient safety representatives concerned."
Clinicians may fail to notice a critical piece of patient data that displays on lower right hand corner of the desktop screen--but doesn't appear at all in an initial iPad view, he says. That could put patients at risk if, for instance, that data is an allergy list.
[ For background on e-prescribing tools, see 6 E-Prescribing Vendors To Watch. ]
Security is even more of an issue. "We will support any device, as long as it meets specific security- and HIPAA-driven standards," Restuccia said. If a physician wants to bring her own device into Penn's system, she's "absolutely not allowed" to have patient data on it, he said. Think thin-client here, which means, of course, that the physician would not be able to run any other apps on the machine itself.
That policy applies to BYOD physicians only. Penn has many of its own iPads assigned to clinicians. Patient data is allowed on those tablets because they're loaded with management tools that let IT locate and track the device, and, if necessary, wipe data remotely.
At the HIMSS conference last week, I spoke with two mobile security vendors that cater to healthcare providers: Boxtone and Absolute.
Boxtone maintains there are advantages to letting clinicians have patient data on their device--with the appropriate security software enabled--because configuring a mobile device in this way also allows the doctor to maintain access to all the apps he would normally load on his device, including any valuable third-party medical apps.
That means he can load the Physicians' Desk Reference app to stay current on drug indications and adverse effects, for instance, or subscribe to UpToDate, the well-respected medical search engine and database, on the machine, which can significantly improve diagnosis and treatment.
Boxtone's security platform lets healthcare providers set their own mobile device policy and procedures, and it enforces them. It offers native data protection, including always-on full-device encryption, mandatory pass code, and over-the-air encryption via VPN or Wi-Fi. Its service also lets the provider govern the amount of time a device can be idle before invoking the power-on password.
Joel Weinshank, senior marketing director at BoxTone, says the platform also includes a remote wipe function, which can selectively remove corporate or hospital data from the device while leaving personal information, including family photos and contact lists, intact.
Absolute Software likewise offers mobile device security services. In addition to wipe capabilities, Absolute uses the LoJack technology, made famous for its ability to locate stolen cars. Absolute installs the technology on laptops, smartphones, and tablets, and can locate stolen devices over the Internet using key captures, registry, and file scanning. Once a device is located, the vendor works with law enforcement agencies to recover it. Their Absolute Manage MDM platform also offers some hacking safeguards. It sets long, complex passwords, and can set up a VPN and remotely disable a device camera.
So should personal mobile devices be used in a healthcare setting? It depends on whether you have a BYOD policy, what kind of device management software you use, and how much personal data your physicians are willing to sacrifice if their devices go missing.
Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)