Embrace BYOD, For Security's Sake

Compiled by Ken Congdon, Editor In Chief, Health IT Outcomes

Are you avoiding BYOD for fear of the data security and mobile management issues it can create? Bad idea. Representatives of three healthcare facilities outline the security, productivity, and economic advantages you can realize through BYOD done right.

PANELISTS:

There’s no denying that mobile devices, particularly smartphones and tablet computers, have taken root in healthcare. In fact, according to a 2012 HIMSS Health IT survey, 80% of physicians own tablet devices. With the consumer market rapidly driving advancements in mobile technology, clinicians are clamoring to use their own personal tablets and smartphones to access hospital networks and streamline both their professional and personal lives. This trend has many healthcare IT professionals in a state of panic.

In IT circles, a BYOD (bring your own device) environment means poor device visibility, a lack of IT control, and a huge data security liability. As a result, many healthcare IT departments have taken a firm “anti-BYOD” stance — forbidding outside devices from accessing healthcare networks. In fact, the results of our Top 10 Health IT Trends survey outlined earlier in this issue seem to illustrate just how unpopular BYOD is in the healthcare IT community. While Mobile/Tablet Computing ranked as our #4 trend overall with 53% of respondents rating the initiative as a “Top Priority” or “Priority,” BYOD came in at #32 with only 26.6% of respondents rating the initiative as a “Top Priority” or “Priority.”

While establishing draconian controls against BYOD is definitely one approach you can take, it’s not a good one. In fact, it’s probably the equivalent of the proverbial head in the sand. If your clinicians want to use their own devices on the job badly enough, some will find a way with or without your blessing. In fact, according to a 2011 Mobile Policy Best Practices Study by Forrester Research, 37% of employees use noncompliant devices on corporate networks before formal policies or permissions are instituted.

Not only are draconian controls unlikely to be effective, but they also prevent you from realizing the benefits an effective BYOD solution can offer. You see, many of the data security and management fears associated with BYOD are unfounded. In fact, if done correctly, a BYOD policy can actually be as secure as a corporate device policy, while saving your healthcare facility money and increasing the workforce productivity. Three healthcare facilities in particular — Western Maryland Health System, Yale New Haven Health, and Resources for Human Development — provide firsthand accounts of the advantages of BYOD in the following Industry Roundtable.

Q: What was the impetus for embracing a BYOD approach at your facility?

Byers: Western Maryland Health System employs more than 200 physicians, many of whom have installed their own ambulatory EMR systems over the years. There was a desire for these physicians to access their practice EMRs while working in the hospital. Since there are four or five different ambulatory EMR systems in use by our physicians, it was going to be extremely difficult to provide all physicians with access to their EMRs on hospital PCs using traditional VPN connections. Instead, we decided to deploy a BYOD Wi-Fi solution that would allow each physician to bring a mobile device of their choosing into the hospital and access their practice EMR system on this device via Citrix XenServer.

Walls: For Resources for Human Development, BYOD was a necessity to control costs. We used to take a corporate-issued approach exclusively, but then we conducted an internal survey and learned that over 90% of our employees already owned smartphones. We realized if we could figure out how to leverage these employeeowned smartphones and still follow our compliance policies, we could save a large sum of money annually.

Many question the security of BYOD, but that was never really a concern of mine. One of the things I’ve learned in my experience is that a centralized approach to mobile device management doesn’t necessarily mean it’s more secure. In fact, a centralized approach can actually present a greater security issue if your centralized controls aren’t as strong as you think they are.

Roberts: Yale New Haven Health was recently reorganized. Mobile device use increased by more than 400% in the first two years after this reorganization. Senior management determined that stricter policies were needed to police this mobile environment. We realized we could operate more efficiently if we embraced BYOD in conjunction with our corporate-issued device practices.

Q: What personal mobile devices are in play at your facility, and what corporate assets can they access?

Roberts: We currently support all major mobile operating systems (i.e. iOS, Android, Windows Mobile, BlackBerry, and Symbian). Originally, we said we could support all devices as well, but this became problematic due to the rate of innovation and fragmentation in the mobile device market. We now provide our employees with a list of approved devices they can choose from.

The corporate resources employees can access depend on the employee. For example, all employees are granted corporate email access, physicians and other clinicians are allowed to access our Epic EHR system via Citrix, and other employees (e.g. accounting, IT personnel) are provided access to other key line-of-business systems. Network permissions are controlled on these devices using the same programs (e.g. Active Directory) that control access on the wired network.

Q: How do you ensure BYOD security?

Byers: Two of the things we do are very low-tech. First, we’re extremely restrictive with who gets access to corporate resources. Second, once they’ve been approved to access corporate resources, they are given a pre-shared key (PSK) to secure the channel. In addition, Citrix provides a virtual connection that ensures no corporate data is actually stored on the mobile device.

Walls: We’ve deployed the MaaS360 mobile device management (MDM) solution from Fiberlink. This software provides IT with visibility into its BYOD ecosystem and provides IT with a level of control and management over the device. For example, if a device is lost or an employee is terminated, the corporate applications and email on the device can be remotely wiped by IT personnel. We also install antivirus and anti-malware software on employee devices and require employees to leverage the autolocking feature.

Roberts: It all starts with policy. We create policies that dictate that all personal devices must be encrypted. All participants in our BYOD program must also agree to have our MaaS360 MDM software installed on their device. If the MDM client is removed, the device is immediately quarantined, and any company assets and applications are immediately erased. At that time, the employee would also no longer have access to any corporate systems.

Q: How do you ensure personal use of the device doesn’t interfere with professional use and vice versa?

Byers: We use OpenDNS to restrict the access to personal websites and applications while on our physician BYOD networks. We also use a firewall to block employees from using an alternative DNS (domain name system). This practice is effective at corralling a majority of the “time wasters.”

Walls: Our MDM solution allows you to define devices as being personally owned or corporate owned. All personally owned devices are given a certain profile that limits IT’s visibility into that device. In other words, IT can’t pry into an employee’s personal world. We only have access and control over the applications and services we deploy. It doesn’t allow us to see an employee’s personal downloads and applications. This assures our employees of a level of privacy, while still giving us control and access to our assets.

Q: What BYOD benefits have you realized?

Byers: Our physicians are happy and much more productive now that they are able to access their ambulatory EMRs remotely from their mobile device. This capability has also helped to improve patient care. For example, while at the hospital, physicians can now compare notes in the hospital’s Meditech EHR with the notes in their ambulatory EMR systems. This real-time visibility aids in better diagnosis and treatment.

Walls: With MDM software, BYOD has been a very secure approach for us. We have the ability to monitor our entire mobile ecosystem, control network access, and protect against data loss. The solution has also provided us with significant cost savings. When we issued mobile devices at the corporate level, we spent about $65 a month on each device for the service plan and maintenance. We also had to pay for each device. With our BYOD solution, we offer employees a $30 a month stipend. It’s a win-win scenario. We no longer have to purchase each device, and we reduce our service and maintenance costs by more than half. At the same time, the stipend we provide employees helps them offset the cost of their personal service plan and encourages participation in the BYOD program.

Roberts: When you embrace BYOD, one of the big benefits is increased employee productivity. Since it is a device the user is comfortable with, and not one you’ve forced upon them, adoption and use is much greater. Using MDM to support your BYOD efforts also provides several advantages to IT. For example, MDM allows you to centrally manage and deploy applications to all mobile devices on all platforms in your ecosystem. You don’t need IT personnel to physically touch every device to ensure apps are installed and configured properly. This saves a ton of time and allows you to focus the efforts of your IT staff on more important projects.