From The Editor | July 26, 2012

How To Embrace BYOD Without Compromising Health Data Security

Ken Congdon, Editor In Chief of Health IT Outcomes

 By Ken Congdon, editor in chief, Health IT Outcomes
Follow Me On Twitter @KenOnHIT

A BYOD (bring your own device) approach to mobility doesn’t have to lead to a loss of corporate control or increased security risks. In fact, when leveraged correctly, BYOD can provide a secure and cost-effective mobile option.

When it comes to healthcare mobility, the desires of clinicians and the fears of health IT executives are currently on a collision course. On one hand, consumer smartphones and tablets have clearly hit home with physicians. According to recent research, 80% of physicians currently own tablet devices and 59% use mobile devices to run line-of-business applications. Now more than ever, clinicians want to use their nifty personal devices on the job — whether it’s to enhance physician/patient interaction by reviewing data directly at the patient bedside, or simply as a means to consolidate the number of devices and passwords a physician is forced to manage.

On the other hand, this BYOD (bring your own device) movement does not sit well with most health IT executives. Protecting health data is a top priority for IT, and historically, this has been accomplished through strict centralized control of the devices that access this data. A BYOD approach flies in the face of this convention, and creates some unique mobile device management and data security challenges. For this reason, several healthcare organizations prohibit personal devices from accessing hospital systems. Others support BYOD, but are still trying to figure out how to do so without compromising the integrity of their health data.

The BYOD inhibitors for IT are numerous. First, to truly protect the health data that resides in a hospital system, IT needs to have complete visibility and control over the devices that access this data. This can be difficult to accomplish when dealing with multiple device types from a variety manufacturers that leverage different operating systems. Controlling bandwidth distribution can also be an issue. For example, many hospitals provide guests and patients with Internet access over the same Wi-Fi network clinicians use to access hospital systems via a mobile device. Establishing the proper bandwidth prioritization an access/communication controls can also be a tedious undertaking.

However, perhaps the biggest BYOD inhibitor for IT is time. “With EHR Meaningful Use, ICD-10, and other high-level technology initiatives, health IT resources are limited,” says Bob Nilsson, director of healthcare solutions marketing for Enterasys, a wireless network and security company. “Establishing an airtight BYOD policy isn’t necessarily the highest priority to IT executives. Also, since improperly engaging in BYOD could potentially result in data breach or network collapse, many healthcare facilities opt not to engage in BYOD activity.”

BYOD Success Hinges On The Right Plan & Technologies

There is a perception among health IT executives that BYOD is a risky, complex, and costly undertaking. It doesn’t have to be. In fact, if implemented correctly, a BYOD approach to healthcare mobility can be just as secure (or even more secure) than a centralized approach. Furthermore, BYOD has the potential to save your healthcare facility thousands of dollars in mobile device costs annually. A successful BYOD undertaking all starts with a full understanding of mobile device management and administration.

According to Rob Shaughnessy, CTO of Circadence, a network optimization company, there are three key elements to mobile device administration:

  1. Security — Data at rest and data in motion should both be properly secured. In other words, the tablet or smartphone itself should be encrypted and only connect to enterprise systems over an encrypted VPN (virtual private network). Also, no data should be stored on the mobile device itself. Instead, virtualization technologies should be leveraged to provide a mobile connection to enterprise systems without the physical transfer of data between device and network. Lastly, all mobile devices need to be equipped with data wiping software that can be activated by IT in case a device is lost or stolen.
  2. Access Controls — It’s one thing to establish a secure network connection, it’s another to verify the identity of a user and ensure they are authorized to access the systems they are attempting to access. Establishing proper user certification and authentication protocols is crucial to ensuring health data doesn’t fall into the wrong hands.
  3. Data Delivery — Lastly, your mobile environment must be optimized to provide granular control over what traffic is flowing to a mobile device and how that traffic is prioritized. In other words, you need to be able to ensure a physician trying to access a patient’s medical record via a tablet is granted a higher level of bandwidth than a guest in the waiting room watching YouTube videos. Furthermore, you need to ensure that the data accessed by the physician can be intercepted or communicated to other mobile device users on the network.

The mobile device administration efforts outlined above involve a lot of moving parts. If you were to try and address each facet as an individual initiative, then BYOD could quickly consume IT resources. Luckily, technologies exist that can help streamline many of these mobile device management efforts for IT departments. Enterasys’ Mobile IAM (Identity and Access Manager) appliance, Circadence’s MVO For Mobile solution, and MaaS360 by Fiberlink are a few examples.

Enterasys’ Mobile IAM is a physical or virtual appliance designed to provide a BYOD solution complete with security, IT control, and a predictable network experience for all users. It provides controlled network and system access based on the user, location, device, and application. It also provides features such as multi-level device profiling, context-based policy management, and integrated authentication services. Similarly, Circadence’s MVO For Mobile solution is a WAN optimization solution that streamlines secure data delivery to all iOS, Android, and Windows mobile devices. MaaS360 by Fiberlink is a cloud-based mobile device management application that allows IT departments to monitor and control an expanding world of mobile devices and operating systems.   

All of these solutions can help provide IT with complete visibility into the different mobile devices on the network from a centralized dashboard. These technologies can also facilitate the prioritization of bandwidth to medical personnel accessing mission-critical data. Furthermore, these solutions can streamline device maintenance and management overall. For example, applications and software updates can be automatically pushed to all mobile devices on the network using any one of these products. Most importantly, these solutions can ensure the mobile devices that access your network are properly configured and secure before they can access any data.

“A hospital can configure our Mobile IAM device to ensure that any mobile device trying to access the hospital network has the proper encryption and most up-to-date version antivirus/anti-malware software installed on it,” says Ram Appalaraju, VP of marketing for Enterasys. “If a mobile device does not meet these requirements, the user is not granted access to the network or its systems. This provides an added layer of security and control to ensure the network and its data are protected.”

Healthcare Organizations See Big Benefits With BYOD

A solid roadmap and technology offering may paint a promising picture for BYOD, but the real proof of concept comes from the healthcare organizations that have successfully implemented and are benefitting from a BYOD approach to mobility. Western Maryland Health System (WMHS) is one of these organizations. About a year ago, WMHS started getting requests from its affiliated physicians for the ability to access their individual ambulatory EMR systems from within hospital when they were on site doing follow-up assessments on their patients.

“Our affiliated physician groups leveraged four or five different ambulatory EMR systems,” says Bill Byers, CIO of WHMS. “There was no way we could provide physicians with secure access to all of these systems on our hospital PCs. If VPN connections were required, we couldn’t really accommodate everyone.”

Rather than dismiss the request, executives at WMHS opted for a BYOD Wi-Fi solution to the problem. WHMS implemented a Citrix XenServer and Enterasys Mobile IAM device to provide physicians with remote access to their EMRs using whatever mobile device they brought to the hospital with them (e.g. iPads, iPhones, Droids, laptops, etc.). Using the Citrix XenServer, visiting physicians can go to a website, log into their ambulatory EMR system, and have secure remote access to all the patient data stored within that system. For example, specialists and PCPs can see their complete medical history of the hospitalized patient and compare that to the data contained in the hospital EMR. This allows the physician to make a more informed clinical decision regarding the follow-up care of the patient.

For WHMS, BYOD wasn’t a necessary evil, but the best solution to a complicated data access problem. Another healthcare organization with a similar BYOD experience is Resources For Human Development (RHD), a nonprofit social service organization based in Philadelphia. For RHD, BYOD was a necessity to control costs. Historically, RHD issued mobile devices to its employees (e.g. clinicians, executives, psychiatrists, psychologists, etc.) to access corporate systems such as email and EHRs. The organization performed an internal survey and discovered that 1) more than 90% of its employees regularly carried their personal smartphones or tablet devices to work with them, and 2) most disliked having to carry both a corporate and personal device.

As a result, RHD embarked on an initiative that would allow employees to access corporate systems on their personal mobile devices. Central to RHD’s BYOD solution was MaaS360 by Fiberlink. This software helped provide a clear distinction between personal and corporate applications – ensuring secure access to corporate assets without prying into the user’s personal activity. The software only provides IT with control over policy-related controls and applications. For example, it provides IT with remote data wiping and universal corporate application administration privileges. To encourage user adoption, RHD offers its employees a $30 a month stipend to use their personal mobile devices on the job. This stipend helps offset the monthly cellphone charges they would be incurring anyway, and is less than half of the $65 monthly charge RHD was paying for each corporate issued smartphone. In return for this stipend, users must agree to have the MaaS360 application installed on their device and adhere to RHD’s device encryption policies. Overall, the solution has been a hit with RHD employees, and has helped save the organization thousands of dollars in mobile device costs.

For Endre Walls, CTO of RHD, the BYOD solution simply made the most sense. “Many health IT leaders fear BYOD because they believe it is less secure than centralized approaches to mobility,” he says. “One thing I’ve learned in my years in the industry is just because your mobile infrastructure is centralized, doesn’t necessarily mean the data is secure. In actuality, centralized environments can create more significant security issues if your centralized controls aren’t as strong as you think they are. For example, users of corporate-issued devices may forward work emails to their personal devices if the proper security protocols aren’t in place. A BYOD approach to mobility can be just as secure as a centralized approach, and it has definitely proved to be the best option for our organization.”