Risk
2/28/2012
01:19 PM
Paul Cerrato
Paul Cerrato
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why BYOD Doesn't Always Work In Healthcare

Security and screen layout problems make it difficult to let clinicians bring their own tablets and smartphones to work.

Physicians love their mobile devices and are putting increasing demands on IT organizations to connect their iPads and iPhones to the hospital and office systems. But the bring-your-own-device (BYOD) movement has its downside.

In a recent conversation with Mike Restuccia, CIO and VP at Penn Medicine--which includes 3 hospitals and about 2,200 physicians--we discussed two concerns: Poor screen layout and security.

Penn uses EpicCare EMR on the ambulatory side and Allscripts Sunrise Clinical Manager for inpatient nursing documentation and CPOE. When the Allscripts program appears on a desktop computer at a nurse's station, all the data shows up on one screen, so there's no scrolling and no hidden data. But when you use the Allscripts EHR on the iPad, "the data doesn't fit, so there's scrolling required, and some hunting and pecking required," Restuccia said. "That has our patient safety representatives concerned."

Clinicians may fail to notice a critical piece of patient data that displays on lower right hand corner of the desktop screen--but doesn't appear at all in an initial iPad view, he says. That could put patients at risk if, for instance, that data is an allergy list.

[ For background on e-prescribing tools, see 6 E-Prescribing Vendors To Watch. ]

Security is even more of an issue. "We will support any device, as long as it meets specific security- and HIPAA-driven standards," Restuccia said. If a physician wants to bring her own device into Penn's system, she's "absolutely not allowed" to have patient data on it, he said. Think thin-client here, which means, of course, that the physician would not be able to run any other apps on the machine itself.

That policy applies to BYOD physicians only. Penn has many of its own iPads assigned to clinicians. Patient data is allowed on those tablets because they're loaded with management tools that let IT locate and track the device, and, if necessary, wipe data remotely.

At the HIMSS conference last week, I spoke with two mobile security vendors that cater to healthcare providers: Boxtone and Absolute.

Boxtone maintains there are advantages to letting clinicians have patient data on their device--with the appropriate security software enabled--because configuring a mobile device in this way also allows the doctor to maintain access to all the apps he would normally load on his device, including any valuable third-party medical apps.

That means he can load the Physicians' Desk Reference app to stay current on drug indications and adverse effects, for instance, or subscribe to UpToDate, the well-respected medical search engine and database, on the machine, which can significantly improve diagnosis and treatment.

Boxtone's security platform lets healthcare providers set their own mobile device policy and procedures, and it enforces them. It offers native data protection, including always-on full-device encryption, mandatory pass code, and over-the-air encryption via VPN or Wi-Fi. Its service also lets the provider govern the amount of time a device can be idle before invoking the power-on password.

Joel Weinshank, senior marketing director at BoxTone, says the platform also includes a remote wipe function, which can selectively remove corporate or hospital data from the device while leaving personal information, including family photos and contact lists, intact.

Absolute Software likewise offers mobile device security services. In addition to wipe capabilities, Absolute uses the LoJack technology, made famous for its ability to locate stolen cars. Absolute installs the technology on laptops, smartphones, and tablets, and can locate stolen devices over the Internet using key captures, registry, and file scanning. Once a device is located, the vendor works with law enforcement agencies to recover it. Their Absolute Manage MDM platform also offers some hacking safeguards. It sets long, complex passwords, and can set up a VPN and remotely disable a device camera.

So should personal mobile devices be used in a healthcare setting? It depends on whether you have a BYOD policy, what kind of device management software you use, and how much personal data your physicians are willing to sacrifice if their devices go missing.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sabrina
50%
50%
Sabrina,
User Rank: Apprentice
3/1/2012 | 6:59:46 AM
re: Why BYOD Doesn't Always Work In Healthcare
Yeah i agree with you
herman_munster
50%
50%
herman_munster,
User Rank: Apprentice
2/29/2012 | 9:23:49 PM
re: Why BYOD Doesn't Always Work In Healthcare
I have to be honest, BYOD in healthcare more or less terrifies me! The only thing worse than EMR's in my opinion is the ability to access EMR's on personally owned devices.
melgross
50%
50%
melgross,
User Rank: Apprentice
2/29/2012 | 5:14:20 PM
re: Why BYOD Doesn't Always Work In Healthcare
What's interesting though, is the speed in which these devices are being adopted. With the iPhone and iPad being the most adopted devices, security is easier, as there are companies such as Goode that can be used, if required, to fill in the managment and security holes. With hospitals and doctors around the world standardizing on those two products, there's less of an issue than there would be if a wide variety of devices were being used.
Jfez
50%
50%
Jfez,
User Rank: Apprentice
2/29/2012 | 4:50:26 PM
re: Why BYOD Doesn't Always Work In Healthcare
Security is a big issue with BOYD, but I do think these are early days. There is much work to be done in order to make any personal device more secure. http://ow.ly/9mG2O
ANON1248452625609
50%
50%
ANON1248452625609,
User Rank: Apprentice
2/29/2012 | 2:42:32 PM
re: Why BYOD Doesn't Always Work In Healthcare
A great article that brings up the case for moving all the applications to a web enabled state. By having "thin client" solutions in place it really diminishes much of the data issues residing on individuals devices as all the data will always stay on the server. Also as mobile is becoming so dominate in the workplace and especially in healthcare, IT and its vendor needs to have mobile sites/solutions developed for these devices to resolve the screen issues.

We work with a number of healthcare providers on the marketing side and because of the shift to mobile we now developed two landing pages on for the traditional desktop/laptop and the other for mobile. One has to remember mobile devices need to access "finger friendly" sites as they usually don't have mice and the mobile site needs to be able to detect if its displaying to a table or to a smart phone.

The biggest challenge for the healthcare CIO is there heavy dependence on their vendor's solutions and their vendors ability to make these enhancements to keep in step with their user demands.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.