BYOD PerspectivesSecurity, IT Leaders Share Mobile Strategies
While some organizations are actively rolling out formal privacy and security policies for personal mobile devices used by their employees, others are just dipping their toes in the bring-your-own-device movement.
Kaiser Permanente, one of the nation's largest health plans, is trying to figure out the best and most secure way to allow clinicians to bring their own mobile devices to work. Currently, physicians are only allowed to use institution-issued mobile devices for patient care, said Jason Zellmer, Kaiser Permanente executive director of technology risk management, during a Dec. 13 panel discussion at the HIMSS Privacy and Security Forum in Boston.
"We do not allow personal devices" Zellmer says. But that doesn't mean Kaiser Permanente will not eventually allow BYOD.
"It's impossible not to have a BYOD policy," Zellmer says. And while the current policy for Kaiser Permanente staff is "don't do it," the organization is examining how to allow secure BYOD.
In addition to Zellmer, the HIMSS mobile security session featured other healthcare panelists who offered tips on how they are currently handling BYOD policies, including the use of desktop virtualization, email filters, and encryption.
Planning for BYOD
"We're piloting a lot of stuff" to see what doctors want to do with their own mobile devices, ranging from laptops and tablets to smartphones, says Zellmer.
Productivity is one driver for BYOD. "Doctors want to use their mobile devices to catch up with work when standing in line for a few minutes" he says.
But while healthcare professionals might be clamoring to use their personal mobile devices for work, serious security issues must be weighed. Among the concerns: communication or storage of unencrypted data, loss or theft of devices, and the risks inherent in third-party mobile applications.
Besides security issues, there are other possible drawbacks to the proliferation of clinicians using their own mobile devices for work, Zellmer says. These include disputes about whether people should be paid for the work they perform using their own mobile devices. "Some people have sued organizations because they feel mobile devices mean they have to work extra hours. There are work-life balance issues," he says.
In contrast to physicians, Kaiser Permanente patients can use their own personal iPhone and Android mobile devices to view their personal electronic health records and securely send emails to their clinicians, via a Kaiser Permanente's portal. "We're actively pushing our portal solution to patients, customers," Zellmer says. The onus is on those individuals protecting personal data they have on their own mobile devices, he says.
Looking ahead, Kaiser Permanente is keeping an eye open on robust mobile management device systems that will allow the organization to better control institution-issued devices as well as BYOD. "The mobile device management space is growing," Zellmer says. In addition, Kaiser Permanente is considering ways to bolster security for user authentication and access, as well. "We're watching biometrics heavily," he says. One consideration is cost advantages to using biometrics versus token-based authentication.
From a policy standpoint at Kaiser Permanente, no protected health information can be sent unencrypted and must stay in the network, Zellmer says. While standard, unsecured texting on smartphones between clinicians and doctors is not permitted, it still happens, he allows. "People ignore company policy; we're looking around to find more secure communication," he says. Kaiser Permanente uses secure email for patient and doctor communication, he says. (see: Secure Texting In Healthcare.)
Other Approaches, Lessons Learned
While Kaiser Permanente is taking a slow approach to embracing BYOD for employees, Children's Hospital Central California has a mobile strategy that started in 2011 and involves virtualized desktops, says Kirk Larson, the hospital's VP and CIO. "If your device can download the client [software], you can access client applications" via the virtual desktop, he said during the panel. However, data can only be viewed - not manipulated or stored.
The primary device that's issued to users at the hospital are PCs, not mobile devices. "With BYOD, what we support is connecting you, not the device itself," says Larson. Email is encrypted. "If someone tries to email PHI, we have tools that detect PHI, and it gets picked up in the filter he says. "When people use their [mobile device], no PHI is on the device," he says.
At Franklin Community Health Network, based in the rural Maine community of Farmington, employees can also use their personal mobile devices to view applications via virtualized desktops, but data cannot get stored on the devices. Email is also encrypted. "I can't afford to buy devices" to be issued to clinicians, says Franklin Community Health CIO Ralph Johnson. "We allow devices to connect to guest network, but they don't go directly on the [corporate] network," he says.
As for other ways of controlling which applications mobile users can use in healthcare environments, Zellmer says Kaiser Permanente is looking into having an internal apps store to ensure the integrity of applications downloaded on mobile devices. However, Johnson and Larson say that option is not on their radar screens.
While a virtual desktop environment can allow users to view legacy apps, "a lot of apps aren't designed for mobile," says Larson. "A lot of vendors need to catch up," in making their applications mobile-friendly, he says. Johnson says his organization has one legacy app that won't run on mobile devices, and he has no plans to customize the software. "I'm not adapting apps for BYOD," he says.
Similarly, Children's Hospital does not have an in-house staff to develop mobile apps. "Mobile device apps are good for viewing data, but not for entering data, says Larson. Mobile devices for some clinical users, such as dieticians, is more appropriate. "But for those that enter a lot of data, mobile is not so good," he says.
When developing a BYOD strategy, security leaders must engage clinicians, says Larson. That's because if they're involved from the get-go, clinicians are more likely to buy into the finished policies. "Leverage the medical staff," he says. "When end users are active participants, it helps move the policy along."