In the article Mr. Ho cites a recent survey by Aruba Networks. According to the survey, 85 percent of facilities support their physicians' and staffs use of personal devices at work. By supporting this use, hospital employees and clinicians can:
- check their personal email accounts
- their work email
- review electronic medical records
- check drug interaction information
- use mobile secure file transfer apps to view lab results or radiology images
- provide signature approval on a treatment decision
- make practitioners more accessible and connected
These changes to technology in the healthcare industry and its mobility, leave IT departments with two questions to address.
- How can we best integrate personal devices while still maintaining our existing security policies.
- How do we support healthcare professionals who bring their own device into various medical settings while still maintaining the security and confidentiality of personal health information.
- Rogue applications installed by the clinician or other staff that could potentially access Personal Health Information (PHI) because their devices are now tied to the facilities network.
- Addressing the dual-use (personal, work) nature of mobile devices and tendency particularly for personal devices to eschew levels of security in favor of ease of use, simplicity and quick access.
- Shutting off access to synchronization type apps like Dropbox until there's a way to manage them with centralized control, granular permissioning and integration with established authentication services.
2. Determine which devices you are willing to support — not all devices meet the security requirements of your healthcare organization, nor do you want to have to test all possible platforms. Also, physically inspect each device and make sure it hasn't been jailbroken or rooted.
3. Set expectations clearly. IT may have to radically change physicians' mindsets. Yes, security adds additional layers to wade through, but what amazing challenges would a security breach cause?
5. Make a personal identification number, or other client authentication, mandatory. This hampers ease of use, but is the first line of defense against a lost device.
6. Enforce encryption of data at rest; any apps that download and store data on the device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.
7. With hundreds of thousands of apps available, which will you permit? Are there any specific applications or class of applications you want to keep off the device? This can be hard to do, but malware and rogue apps can do serious damage without users realizing it.
8. Provide training to physicians and hospital staff to make sure they understand how to correctly use their applications, make the most of their mobile capabilities and watch for suspicious activity. Once you've embraced BYOD, promote it.
9. As mobile devices become conduits for information to flow, look for apps that include auditability, reporting and centralized management. Many current apps will not have this feature, but those that do will make it easier to trace back any potential breaches.
10. Consider mobile device management software that can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability. Note that some MDM providers require applications to be re-written specifically to support their platform, so you may find some of your applications will not run in the MDM solution you pick.
As a way of expanding on Mr. Ho's 10th point. I would encourage you that rather than investing in multiple different apps all created by unknown parties, that you strongly identify the benefits you most need in your enterprise mobile apps and utilize a platform and development team like http://www.snappii.com where you can either design your apps yourself, or we can work with your IT department to help you ensure the proper data is available for the specific apps that need it, but also ensure is designed to complement your existing IT security protocols.
If you have more questions on enterprise mobile app development for use in a medical environment as part of BYOD policies, while continuing to maintain, HIPPA and PHI compliance, don't hesitate to send me an email.