BYOD (Bring Your Own Device)
Healthcare records – keeping tabs
Addressing security, integration and operating system choices.
By Matt Peacock, Publisher, December 2013
The push to document all health records electronically is good news for the tablet computing market. It is no secret that tablets are replacing paper and manual processes, and are used for various multimedia needs. The devices have easily assimilated into our personal lives, offering something to every demographic.
The healthcare sector is beginning to see the value of tablets in its industry, and the drive to maximize their potential has begun. As with anything in the healthcare industry, the complications, regulations, and variations make issues such as access, data exchange, and interoperability a bit harder than sitting down for a stimulating game of Angry Birds.
To better understand some of the obstacles and lessons learned when it comes to using tablets in healthcare, HMT reached out to both users and manufacturers to offer some insight. Several key concerns came to mind, including security, networking, cost, integration, virus prevention, and support.
Green Clinic Health Systems (GCHS) in north central Louisiana uses an end-to-end mobile security strategy solution from Dell Software. Comprised of approximately 450 employees, including more than 50 physicians, GCHS delivers a full range of critical and ancillary health services from a leading surgical hospital, community clinic, and six satellite locations. We asked Jason Thomas, CIO and IT director, GCHS, to explain how his organization has successfully integrated tablet computing into its workflows and processes.
Which devices are approved for BYOD (bring your own device)? What tablet do you use?
This question brings up a lot concerns for healthcare providers. How does an organization deal with the complexities of employees using their own devices?
“We will do our best to support whatever walks in the door, provided it can meet our minimum requirements to ensure HIPAA compliance,” said Thomas. “The security of our patient data is paramount, so HIPAA drives everything when it comes to supporting/enabling BYOD in our organization.”
Regulations aside, security is also a huge issue when alien devices enter a secure environment. There is a tricky balance between accommodating staff and securing data. How does GCHS walk this fine line?
Thomas said you need to reach the middle zone.
“Devices must be able to be encrypted (memory card storage as well if it has a card slot),” said Thomas. “The screen must have a lock mechanism enabled, and we must have some way to report back on its status. Reporting back is generally accomplished via either a MDM (mobile device management) solution if it’s a mobile device or Active Directory/our encryption platform if it’s a full Windows workstation. Generally, the encryption and screen-lock requirements are enforced by those systems as well. We try to automate management as much as possible. iOS (iOS5 and above) and Android (v4 and above) support both requirements reliably out of the box and make up the bulk of our personally owned devices.”
Can they log into the hospital network, or do they have to use a guest network?
Many healthcare providers want to use their own device but find it challenging to select one that they personally want and is approved for work use. The easiest way Thomas helps his employees is by maintaining and making available to staff a list of approved devices.
“This way, when they are out shopping for new devices, they know right away if it is something they can bring into the office if they want,” said Thomas.” If it’s not on the list, they know we will work with them on how to make it work for them. We can also point them to people that have that particular device so they can ask questions of an actual user.”
Once a device is selected, working through proper integration procedures is the next step. Accessing networks is a huge concern, since WiFi is just about everywhere now. Most applications that tablets run today need Internet or LAN access. Storing data on a server and accessing it via a network increases the security of the data but decreases the security of the network because more devices need to access it for longer periods of time. Thomas’ solution is simple and effective, combining the security benefits that each approved device has locally with up-to-date network security protocols.
“It’s part of our HIPAA security program,” Thomas said. “The actual EHR is accessed via a VDI [virtual desktop infrastructure] session or Terminal Server session, and patient data never touches the actual device. We gain the benefits of mobility and battery life, but the security advantages of data separation. We are currently about to start a pilot program for a native iPad EHR app and will have a PACS iPad app in place Q1 2014, so we’re shifting more towards ways to create secure containers on mobile devices since the access method is changing.”
“We have a guest network available for patients, but staff use our corporate WIFI and authenticate via 802.11x with their AD credentials,” Thomas explained. “This allows us to tie IP addresses to users and devices for management and reporting purposes. We run all traffic through a Dell SonicWall firewall and filter traffic for malware, content, and applications, both on the guest and corporate networks. Our networks are also monitored by Dell SecureWorks to add an additional set of eyes to our security. We don’t filter traffic to be harsh to employees. It’s primarily to make sure that streaming audio and video does not eat up all of our bandwidth and that patient information does not get sent outside of our organization insecurely.”
Do you make employees sign an agreement allowing remote wiping of the device should it be lost?
It is not a question of if a device will go missing. It’s a question of when. While minimizing the amount of data stored on local devices is one solution, it is impossible to eliminate all of it. So what happens if a device is lost or stolen?
The main concern shifts from the actual device and focuses on the data. There are several third-party services available that claim they can track and help recover missing devices, but the data on the device should be the biggest concern. These third-party services also come at a cost. In 2011, the FBI concluded that just 12.7 percent of burglary cases were cleared. The popularity of mobile devices makes them a prime target, and once stolen they are typically off-loaded quickly. Device manufactures realize this and are working to help minimize theft. Apple’s new iOS7 requires users to enter their password in order to turn off the native Find My iPhone/iPad feature. This means that when a device is lifted, the crook cannot disable the GPS location feature without the user’s password. Remotely wiping the data is an excellent way to minimize stolen data. If the device is owned by an employee, the question of policy comes into play.
Thomas explained that GCHS’ BYOD policy allows the organization to wipe a missing device remotely. He also ensures that his IT staff trains employees on how to remotely wipe their devices. Actually showing employees what button to press to execute a remote data wipe increases the chances that they will actually do it. Just mentioning this feature is not nearly as effective.
How do you overcome the hurdles of interacting with EHRs and recording clinical notes on a tablet?
Tablets have come a long way since their conception. They now include keyboards, built-in cameras, and microphones, and can be comparable to a laptop or desktop in certain situations and configurations. But in a healthcare setting, are tablets enough to handle everything?
“We approach those two issues (interacting with and recording notes) by separating them,” Thomas said. “Our mobile devices are not intended at the moment to be complete replacements for full workstations, but rather a more flexible way of approaching care. They are displays with reduced weight and longer battery life, and most of our physicians and clinicians treat them as such. They navigate the electronic chart via touchscreen and pull up relevant information for the current patient visit. In some instances, they will perform some minimal documentation, such as issuing an e-Rx or an order, while other physicians choose to do more extensive documentation on the devices. It’s really a matter of physician comfort.
“Regardless of how they choose to interact with our EHR system, all physicians have been provided with a workstation in their office loaded with a voice recognition program to give them point-and-click, keyboard-based, and voice-based data entry options.”
Cost? Dollars-wise, what makes sense for your organization?
An upside of using a BYOD program is reduced cost and increased staff buy-in. If a staff member picks out his or her own piece of equipment and pays for it, IT departments can benefit greatly. Green Clinic Health Systems feels the benefits of BYOD outweigh the negatives.
“Right now our BYOD program is entirely staff driven, which is why we are very flexible with our support,” said Thomas. “Mobile devices aren’t that expensive nowadays, and we could roll out devices to the staff. But allowing end-users to pick their own device and use what they are most comfortable with gives them some buy-in and ownership in what they are doing. We did the massive ‘everyone gets the exact same laptop’ rollout already. It worked, but it’s very inflexible.
“One of the areas where we’ve seen cost savings is related to that original rollout. Here we are three years since that initial push, and it’s time to start replacing batteries and systems. But if a physician or staff member never unplugs or undocks their laptop and it never leaves their office because they have shifted over to their own iPad or Android tablet, I’m not faced with putting the money out there to keep that older system at 100 percent. Some of our physicians have gone the route of ultrabooks and/or wall-mounted all-in-one PCs in lieu of tablets. They’re happy because they have found a solution that matches their workflow, and I’m happy because they are invested in the equipment they’re using and are more willing to work with us when problems come up or changes are needed.”
Any words of wisdom for other IT directors in your same situation?
“Overall, I think the best and most useful security feature we ever put in was the use of 802.11x on our wireless network,” said Thomas. “Being able to not only see devices but see the users that have those devices has been incredibly helpful for spot checking and reporting. Dell SecureWorks has helped us out several times with end-users that try to connect an infected device to the network. Their notices to us contain the who, what, and where that we need to take fast action.”
“We don’t expect that a new tablet will be a complete replacement of everything that came before it,” Thomas said. “Don’t dump your office workstation in favor of an iPad/Android [or some other brand] tablet until you are certain the new device serves all of your needs. Some devices are better than others at certain tasks, and forcing one to do things it’s not good at is a recipe for frustration. It’s easy to get caught up in the hype of marketing, but take time to test those promises in the real world.”
Thomas also advised that, “If you’re doing a big deployment, look into a MDM solution. It can be easy to get confused and miss a step when you have repeated the same manual configuration action on 50 different tablets, but with a MDM you can be certain that it will be done the same way across every connected device. A MDM will also allow you to push out new configuration changes as regulations change and help keep you in compliance.”
And what about Windows 8? How does this newer (and sometimes controversial) OS hold up for tablets in healthcare?
HMT also wanted to know what effect Windows 8 is having on tablet computing in healthcare. For expertise in that area, we turned to Scott Thie, vice president, Healthcare and Education, Panasonic. Thie provided the following insight:
The tablet’s portability, flexibility, and ease of use have made them a great fit for health business applications of all kinds. In many cases, tablets are so attractive to users that many of them have not waited for their employers to issue them; they’ve brought their own personal devices to work. In other cases, healthcare providers have issued devices to their staff that are better suited for consumer use and lack critical security, durability, and functionality features. This has resulted in a fragmented IT management landscape consisting of myriad devices with different operating systems, security challenges, and support needs.
Recently, the technology industry has seen a shakeup that could play a large role in addressing this issue. Last fall, Microsoft released Windows 8, the most dramatic overhaul of its operating system since 1995. Offering a redesigned interface and several new features, the operating system is built for mobility, security, and manageability. And when paired with enterprise-class hardware, Windows 8 opens the door for healthcare providers to embrace the benefits of tablets, without sacrificing on security, functionality, and management capabilities. One of the most obvious benefits of Windows 8 is its redesigned metro interface. Built to take advantage of touchscreen technology, the interface offers enterprise professional users the fast and fluid efficiency and personalization found on today’s popular consumer devices. The operating system’s use of swipe, tap, and drag gestures allows users to easily switch between applications and multitask. While multitasking is a business reality, it’s a challenge for some tablet operating systems, potentially limiting worker productivity. The Windows 8 interface also includes live-updating tiles that can help business users retain situational awareness.
With the recent boom in mobile devices, many healthcare IT departments have been forced to integrate incoming tablets – with alternative operating systems and potential security risks – into legacy device management, security, and system integration structures. It can be difficult to securely and efficiently integrate mobile devices with newer operating systems like Android or iOS into a legacy Windows IT infrastructure, and this often puts healthcare administrators into a ‘troubleshooting’ mode instead of devoting their resources to ensure optimal patient care. With Windows 8, users have the ability to use the same operating system in desktop and tablet environments. Not only is the IT department supporting a single operating system, users benefit from a seamless and familiar operating environment across all their devices.
Security is a critical need in healthcare technology, and Windows 8 offers several features not found in many other tablet operating systems. Secure Boot, for example, is a boot-up process that helps prevent malware from running at startup. From an IT management perspective, a key benefit of Windows 8 is its ability to work with existing software and hardware. Many business-critical applications, especially in the healthcare segment, are designed to run on Windows. It’s also integrated into the enterprise in other ways, such as the many third-party cloud and software-as-a-service providers using Active Directory for identity management.
Equally important as the operating system is the right hardware. Purpose-built tablets, designed specifically for challenging environments, offer the durability, ease of use, and warranty support that healthcare providers require, without compromising on security or manageability.
Before investing in a tablet deployment, verify that the device will offer the features your care providers and healthcare facility demand. Something as simple as a user-replaceable battery, which many consumer devices lack, could be a potential life-saver for doctors and nurses remotely accessing critical patient data. In other cases, it may be as simple as a tablet with a daylight-viewable screen, which ensures a clinician can work efficiently regardless of lighting challenges. Some hospital workers may need a device that can be used with a digitizer pen for signature capture or an all-touch interface for easy manipulation of medical images or text.
The most common causes of mobile computer failures are drops and spills. These dangers are magnified for healthcare mobile workers. Tablets should be engineered to be rugged enough to withstand a fall to a hard surface, sealed to withstand spills and dust, and easily sanitized help to ensure reliable operation.
With computer hardware such as tablets, it’s also important to understand the difference between price and cost. Even at an enterprise level, it’s natural to gravitate toward the lowest sticker price. However, if that device has a high failure rate, hinders productivity, lacks enterprise-level support, or has a short standard warranty, it will end up costing more in the long run – not just in replacement costs but also labor costs, inefficiency, the loss of critical data, reduced patient satisfaction, and more. Think about products in terms of their total cost of ownership in order to get the most for your money.