Risk
2/28/2012
01:19 PM
Paul Cerrato
Paul Cerrato
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why BYOD Doesn't Always Work In Healthcare

Security and screen layout problems make it difficult to let clinicians bring their own tablets and smartphones to work.

Physicians love their mobile devices and are putting increasing demands on IT organizations to connect their iPads and iPhones to the hospital and office systems. But the bring-your-own-device (BYOD) movement has its downside.

In a recent conversation with Mike Restuccia, CIO and VP at Penn Medicine--which includes 3 hospitals and about 2,200 physicians--we discussed two concerns: Poor screen layout and security.

Penn uses EpicCare EMR on the ambulatory side and Allscripts Sunrise Clinical Manager for inpatient nursing documentation and CPOE. When the Allscripts program appears on a desktop computer at a nurse's station, all the data shows up on one screen, so there's no scrolling and no hidden data. But when you use the Allscripts EHR on the iPad, "the data doesn't fit, so there's scrolling required, and some hunting and pecking required," Restuccia said. "That has our patient safety representatives concerned."

Clinicians may fail to notice a critical piece of patient data that displays on lower right hand corner of the desktop screen--but doesn't appear at all in an initial iPad view, he says. That could put patients at risk if, for instance, that data is an allergy list.

[ For background on e-prescribing tools, see 6 E-Prescribing Vendors To Watch. ]

Security is even more of an issue. "We will support any device, as long as it meets specific security- and HIPAA-driven standards," Restuccia said. If a physician wants to bring her own device into Penn's system, she's "absolutely not allowed" to have patient data on it, he said. Think thin-client here, which means, of course, that the physician would not be able to run any other apps on the machine itself.

That policy applies to BYOD physicians only. Penn has many of its own iPads assigned to clinicians. Patient data is allowed on those tablets because they're loaded with management tools that let IT locate and track the device, and, if necessary, wipe data remotely.

At the HIMSS conference last week, I spoke with two mobile security vendors that cater to healthcare providers: Boxtone and Absolute.

Boxtone maintains there are advantages to letting clinicians have patient data on their device--with the appropriate security software enabled--because configuring a mobile device in this way also allows the doctor to maintain access to all the apps he would normally load on his device, including any valuable third-party medical apps.

That means he can load the Physicians' Desk Reference app to stay current on drug indications and adverse effects, for instance, or subscribe to UpToDate, the well-respected medical search engine and database, on the machine, which can significantly improve diagnosis and treatment.

Boxtone's security platform lets healthcare providers set their own mobile device policy and procedures, and it enforces them. It offers native data protection, including always-on full-device encryption, mandatory pass code, and over-the-air encryption via VPN or Wi-Fi. Its service also lets the provider govern the amount of time a device can be idle before invoking the power-on password.

Joel Weinshank, senior marketing director at BoxTone, says the platform also includes a remote wipe function, which can selectively remove corporate or hospital data from the device while leaving personal information, including family photos and contact lists, intact.

Absolute Software likewise offers mobile device security services. In addition to wipe capabilities, Absolute uses the LoJack technology, made famous for its ability to locate stolen cars. Absolute installs the technology on laptops, smartphones, and tablets, and can locate stolen devices over the Internet using key captures, registry, and file scanning. Once a device is located, the vendor works with law enforcement agencies to recover it. Their Absolute Manage MDM platform also offers some hacking safeguards. It sets long, complex passwords, and can set up a VPN and remotely disable a device camera.

So should personal mobile devices be used in a healthcare setting? It depends on whether you have a BYOD policy, what kind of device management software you use, and how much personal data your physicians are willing to sacrifice if their devices go missing.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
ANON1248452625609
50%
50%
ANON1248452625609,
User Rank: Apprentice
2/29/2012 | 2:42:32 PM
re: Why BYOD Doesn't Always Work In Healthcare
A great article that brings up the case for moving all the applications to a web enabled state. By having "thin client" solutions in place it really diminishes much of the data issues residing on individuals devices as all the data will always stay on the server. Also as mobile is becoming so dominate in the workplace and especially in healthcare, IT and its vendor needs to have mobile sites/solutions developed for these devices to resolve the screen issues.

We work with a number of healthcare providers on the marketing side and because of the shift to mobile we now developed two landing pages on for the traditional desktop/laptop and the other for mobile. One has to remember mobile devices need to access "finger friendly" sites as they usually don't have mice and the mobile site needs to be able to detect if its displaying to a table or to a smart phone.

The biggest challenge for the healthcare CIO is there heavy dependence on their vendor's solutions and their vendors ability to make these enhancements to keep in step with their user demands.
Jfez
50%
50%
Jfez,
User Rank: Apprentice
2/29/2012 | 4:50:26 PM
re: Why BYOD Doesn't Always Work In Healthcare
Security is a big issue with BOYD, but I do think these are early days. There is much work to be done in order to make any personal device more secure. http://ow.ly/9mG2O
melgross
50%
50%
melgross,
User Rank: Apprentice
2/29/2012 | 5:14:20 PM
re: Why BYOD Doesn't Always Work In Healthcare
What's interesting though, is the speed in which these devices are being adopted. With the iPhone and iPad being the most adopted devices, security is easier, as there are companies such as Goode that can be used, if required, to fill in the managment and security holes. With hospitals and doctors around the world standardizing on those two products, there's less of an issue than there would be if a wide variety of devices were being used.
Sabrina
50%
50%
Sabrina,
User Rank: Apprentice
3/1/2012 | 6:59:46 AM
re: Why BYOD Doesn't Always Work In Healthcare
Yeah i agree with you
herman_munster
50%
50%
herman_munster,
User Rank: Apprentice
2/29/2012 | 9:23:49 PM
re: Why BYOD Doesn't Always Work In Healthcare
I have to be honest, BYOD in healthcare more or less terrifies me! The only thing worse than EMR's in my opinion is the ability to access EMR's on personally owned devices.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.