VA Mulls BYOD Legal IssuesMobile Device Management System Slowly Rolled Out
The Department of Veterans Affairs is slowly pushing forward with an enterprisewide mobile device management system implementation in anticipation of eventually using many more mobile devices. But it won't proceed with allowing employees to use personally-owned mobile devices for their VA work until important legal questions are tackled, says Stephen Warren, interim CIO.
See Also: 12 Top Cloud Threats of 2016
"We have a large legal issue that we're still coming to grips with, and I don't have good clarity yet," Warren said in the first monthly CIO media briefing since the departure on March 8 of Roger Baker, who resigned (see: VA CIO Roger Baker Resigning).
Back in 2011, Baker described plans for accommodating the use of 100,000 mobile devices, including a mix of personally-owned and VA-issued gear, within 18 months as the agency started phasing out desktop devices to cut costs (see: VA CIO: Personally Owned Devices OK).
But the VA modified that strategy last fall, with plans focused on potentially supporting as many as 30,000 mostly government-owned devices within three years (see: VA Revamps Mobile Device Plan).
Warren offered an example of the legal questions involved in BYOD: "If I have a personal device ... and we have BYOD capabilities turned on, and ... the inspector general [office] decides they're really interested in what I've been doing, do they get to take my personal device ... and with a subpoena ... do they get access to only VA information ... or also personal information?"
The VA also is looking to other federal agencies that are piloting BYOD, including Homeland Security, for guidance, as well as the Federal CIO Council, which has been investigating BYOD issues, he says.
Mobile Device Management
The VA's new MDM system, which eventually will be used enterprisewide, is now in pilot mode, with about 500 VA-issued iPads and some other mobile devices being tested, Warren says. The iPads are equipped with clinical care applications.
The department sees the MDM system as essential to security as it ramps up use of mobile devices. Core security capabilities of the system include the ability to manage passwords and encryption and remotely wipe data, such as e-mail messages, if a device is lost. Also, the MDM's inventory management capabilities will allow the VA to keep track of where a device is used.
The VA is still working out a game plan for shifting VA employees using desktop PCs and laptops to other mobile devices, such as tablets, Warren says. It's also examining the issue of software licensing costs for applications and connectivity used on the mobile devices.
Eventually, VA staff will use only one computing device for care delivery or other tasks, Warren explains. "We're on the path that you don't get [multiple] devices...you have to whittle it down."
Another major project under way at the VA is the long-awaited integrated electronic health record system with the Department of Defense.
The VA and DoD in February announced a change in strategy for building an integrated EHR. They scrapped plans to build from scratch a joint EHR system. Instead, they will rely on interoperability and real-time, secure data exchange between the two core EHR systems to cut costs (see: VA, DoD Accelerate Secure EHR Project).
As it makes plans to replace its core EHR system, the DoD expects to decide soon whether it will use the VA's VistA system as a starting point or another system. "We have a world class tool [with VistA], Warren says. "But at the end of the day, DoD needs to decide what it will support."