BYOD (Bring Your Own Device)
It's about the user … then the device.
By Michael Rice, February 2013
Healthcare organizations are struggling to satisfy the demands of clinicians and other healthcare workers who want to use their device of choice to perform work and access personal and confidential protected health information (PHI). Regardless if these devices are employee owned (bring your own device, or BYOD) or corporately owned personally enabled (COPE), employees want a simplified approach to working digitally that saves them time and doesn’t require them to carry multiple devices for personal or work use.
It’s a balance for IT, and one that is difficult to strike when you consider that healthcare is a highly regulated space with precise compliance requirements (HIPAA, HITECH, etc.). IT must follow strict protocols when reportable data breaches occur, such as unauthorized access of data (patient, payment and employee), as well as dealing with email security and the criminal activity that may result following a security breach.
Although the user may be able to select a work device, ultimately it will be up to IT to ensure the sensitive patient and healthcare data it contains is secured and risk is minimized.
It’s the responsibility of IT to develop a mobility strategy. If the focus is purely on management and security, the list of supported devices may consist of, for example, a PC and a BlackBerry. But in today’s BYOD/COPE environment, the user has a vote, which means that IT must support a much longer list of form factors and operating systems. Typical use cases are driven by the needs of users to access patient data quickly and easily – on site and remotely via their device of choice.
But the expansion of healthcare IT beyond a single type of computer and smartphone device cannot be attributed to the whims of the end user. Instead, it’s a reflection of the fundamental changes that have occurred within healthcare as a business.
In the past decade, healthcare has been redefined as a result of business decisions based on safety, patient care, profitability and efficiencies. Government is pushing healthcare out of the hospital and into the home, where patients are more comfortable and the costs of treating them are typically 50 percent less.
One of the fastest growing segments in healthcare is alternative care, which includes infusion clinics, homecare and visiting nurses. Even the traditional model of healthcare has undergone technical transformation, with many organizations transitioning from pagers to smartphones, tablets and other devices.
So healthcare has gone mobile, and if IT is going to properly secure and manage the endpoint (and the protected health information, or PHI, it contains), then they need to build a mobility strategy based on the needs of the user.
Effective mobility programs don’t focus solely on the hardware and related security. Instead, they focus on the end user, in particular how the device will be used and how it can create efficiencies in the employee’s day-to-day work.
A clinician may need to access patient data on his iPad while doing rounds on the hospital floor. Visiting nurses may need to input and upload patient data using an ultra-portable device while they are on the road. If IT limits the types of devices available to these employees, then it’s likely the employees will be limited in how well they can perform their work.
On the other end of the spectrum are healthcare employees who do not require access to sensitive information and pose a low risk to IT. With differing levels of service and security, healthcare mobility policies must be built based on users, not devices, since it’s the users that will determine the type of work that’s done, the data that’s accessed and the efficiencies they can ultimately deliver to the business.
A successful mobility strategy will accommodate the perspectives of both IT and end user, regardless if the environment is COPE, BYOD, or a mix. If users are properly supported, and access to data is effectively managed, the device is simply the result of the program. By understanding how the employee will use the device, IT will be able to determine details of strategy, including individual credentials, permissions, appropriate configuration profiles and acceptable protocols in the event of a security incident. Once users are satisfied, it will be easier for IT to control sensitive healthcare data while providing employees with the flexibility they need to do their jobs well and efficiently.
Once IT has identified their user-centric mobility strategy, the appropriate technology to support it is imperative. Look for a mobile device management (MDM) solution that allows for multiple user profiles and groups, secure document sharing and distribution, and automated security protocols to lock and wipe at-risk devices. HMT
About the Author
Michael Rice is healthcare business development manager, Absolute Software. For more on Absolute Software: www.rsleads.com/302ht-201