Risk
2/28/2012
01:19 PM
Paul Cerrato
Paul Cerrato
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why BYOD Doesn't Always Work In Healthcare

Security and screen layout problems make it difficult to let clinicians bring their own tablets and smartphones to work.

Physicians love their mobile devices and are putting increasing demands on IT organizations to connect their iPads and iPhones to the hospital and office systems. But the bring-your-own-device (BYOD) movement has its downside.

In a recent conversation with Mike Restuccia, CIO and VP at Penn Medicine--which includes 3 hospitals and about 2,200 physicians--we discussed two concerns: Poor screen layout and security.

Penn uses EpicCare EMR on the ambulatory side and Allscripts Sunrise Clinical Manager for inpatient nursing documentation and CPOE. When the Allscripts program appears on a desktop computer at a nurse's station, all the data shows up on one screen, so there's no scrolling and no hidden data. But when you use the Allscripts EHR on the iPad, "the data doesn't fit, so there's scrolling required, and some hunting and pecking required," Restuccia said. "That has our patient safety representatives concerned."

Clinicians may fail to notice a critical piece of patient data that displays on lower right hand corner of the desktop screen--but doesn't appear at all in an initial iPad view, he says. That could put patients at risk if, for instance, that data is an allergy list.

[ For background on e-prescribing tools, see 6 E-Prescribing Vendors To Watch. ]

Security is even more of an issue. "We will support any device, as long as it meets specific security- and HIPAA-driven standards," Restuccia said. If a physician wants to bring her own device into Penn's system, she's "absolutely not allowed" to have patient data on it, he said. Think thin-client here, which means, of course, that the physician would not be able to run any other apps on the machine itself.

That policy applies to BYOD physicians only. Penn has many of its own iPads assigned to clinicians. Patient data is allowed on those tablets because they're loaded with management tools that let IT locate and track the device, and, if necessary, wipe data remotely.

At the HIMSS conference last week, I spoke with two mobile security vendors that cater to healthcare providers: Boxtone and Absolute.

Boxtone maintains there are advantages to letting clinicians have patient data on their device--with the appropriate security software enabled--because configuring a mobile device in this way also allows the doctor to maintain access to all the apps he would normally load on his device, including any valuable third-party medical apps.

That means he can load the Physicians' Desk Reference app to stay current on drug indications and adverse effects, for instance, or subscribe to UpToDate, the well-respected medical search engine and database, on the machine, which can significantly improve diagnosis and treatment.

Boxtone's security platform lets healthcare providers set their own mobile device policy and procedures, and it enforces them. It offers native data protection, including always-on full-device encryption, mandatory pass code, and over-the-air encryption via VPN or Wi-Fi. Its service also lets the provider govern the amount of time a device can be idle before invoking the power-on password.

Joel Weinshank, senior marketing director at BoxTone, says the platform also includes a remote wipe function, which can selectively remove corporate or hospital data from the device while leaving personal information, including family photos and contact lists, intact.

Absolute Software likewise offers mobile device security services. In addition to wipe capabilities, Absolute uses the LoJack technology, made famous for its ability to locate stolen cars. Absolute installs the technology on laptops, smartphones, and tablets, and can locate stolen devices over the Internet using key captures, registry, and file scanning. Once a device is located, the vendor works with law enforcement agencies to recover it. Their Absolute Manage MDM platform also offers some hacking safeguards. It sets long, complex passwords, and can set up a VPN and remotely disable a device camera.

So should personal mobile devices be used in a healthcare setting? It depends on whether you have a BYOD policy, what kind of device management software you use, and how much personal data your physicians are willing to sacrifice if their devices go missing.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sabrina
50%
50%
Sabrina,
User Rank: Apprentice
3/1/2012 | 6:59:46 AM
re: Why BYOD Doesn't Always Work In Healthcare
Yeah i agree with you
herman_munster
50%
50%
herman_munster,
User Rank: Apprentice
2/29/2012 | 9:23:49 PM
re: Why BYOD Doesn't Always Work In Healthcare
I have to be honest, BYOD in healthcare more or less terrifies me! The only thing worse than EMR's in my opinion is the ability to access EMR's on personally owned devices.
melgross
50%
50%
melgross,
User Rank: Apprentice
2/29/2012 | 5:14:20 PM
re: Why BYOD Doesn't Always Work In Healthcare
What's interesting though, is the speed in which these devices are being adopted. With the iPhone and iPad being the most adopted devices, security is easier, as there are companies such as Goode that can be used, if required, to fill in the managment and security holes. With hospitals and doctors around the world standardizing on those two products, there's less of an issue than there would be if a wide variety of devices were being used.
Jfez
50%
50%
Jfez,
User Rank: Apprentice
2/29/2012 | 4:50:26 PM
re: Why BYOD Doesn't Always Work In Healthcare
Security is a big issue with BOYD, but I do think these are early days. There is much work to be done in order to make any personal device more secure. http://ow.ly/9mG2O
ANON1248452625609
50%
50%
ANON1248452625609,
User Rank: Apprentice
2/29/2012 | 2:42:32 PM
re: Why BYOD Doesn't Always Work In Healthcare
A great article that brings up the case for moving all the applications to a web enabled state. By having "thin client" solutions in place it really diminishes much of the data issues residing on individuals devices as all the data will always stay on the server. Also as mobile is becoming so dominate in the workplace and especially in healthcare, IT and its vendor needs to have mobile sites/solutions developed for these devices to resolve the screen issues.

We work with a number of healthcare providers on the marketing side and because of the shift to mobile we now developed two landing pages on for the traditional desktop/laptop and the other for mobile. One has to remember mobile devices need to access "finger friendly" sites as they usually don't have mice and the mobile site needs to be able to detect if its displaying to a table or to a smart phone.

The biggest challenge for the healthcare CIO is there heavy dependence on their vendor's solutions and their vendors ability to make these enhancements to keep in step with their user demands.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.