While BYOD was thought to have begun around the same time that patients started bringing their smartphones into the hospital, its relevance is driven by doctors who have their own preference for devices.
Back in the “good old days,” when doctors were in charge and patients … weren’t, the cellphone was about as welcome in the hospital as a flea-infested rat with a short temper. Paper and pagers were the order of the day for communicating and accessing information.
Now, mobile devices are commonplace, in many places the standard. And health system executives and IT departments are grappling with the challenges of controlling them.
“I think BYOD is a huge benefit to the healthcare space for a number of reasons,” Gerard Nussbaum, director of Technology Services for the Kurt Salmon global management consulting firm, explained in a November 2015 interview with mHealthIntelligence.com.
“One: it acknowledges the fact that people are going to bring their own device and seek to use them in their work, as well as their personal life,” he said. “Two: healthcare providers can’t really afford to give everyone who would benefit from a device a device. So having the physician on the medical staff or an employee use their own device can provide access to mobile tools to people who might otherwise not be able to benefit from mobile tools.”
Provider perspectives on BYOD
As health systems began assessing the mobile device landscape, they generally fell into two categories — those supporting BYOD and those rejecting privately-owned and managed devices. In the latter instance, health systems partnered with vendors to put an enterprise device in the hands of everyone on the campus who needs one. Such devices allow for specific functions, such as communications, data access and sharing and perhaps barcode scanning. But their reach is limited to the health system’s physical footprint, the device never leaves the facility and it can be locked and wiped clean of data at a moment’s notice.
This concept worked great with nurses and support staff but it didn’t sit well with doctors, many of whom had their own office hours, moved from building to building, collaborated with specialists in other locations and worked at home. In many cases they’d adapted their own devices and were intent on using them at the hospital. In fact, a 2015 study published in the Journal of Hospital Librarianship estimated that 85 percent of healthcare professionals were bringing their own devices to work.
A 2015 study published in the Journal of Hospital Librarianship estimated that 85 percent of healthcare professionals were bringing their own devices to work.
This, of course, created issues with privacy and security. A doctor with his own smartphone might be discussing patient information with a colleague one moment — a clear HIPAA red flag — and checking his Facebook page or discussing dinner plans with his partner the next. In extreme cases, a doctor might even snap a quick photo of a curious rash or wound to share with a colleague or specialist, then have that photo saved in a queue alongside family photos.
The result was a nightmare for IT departments, and a headache for health system executives looking to protect data, improve care coordination via mobile devices and keep staff and patients happy. Many a C-suite executive has stories of doctors and nurses designing work-arounds that bypass safety and security protocols, or simply using their devices in defiance of HIPAA standards.
Provider approaches to BYOD
Some health systems have adopted the sandbox approach. They set up cloud-based data storage, and created a network for mobile device apps and functions that could operate within that network. They then built a wall around that network, and established security protocols for mobile devices to access that network. In this fashion a doctor could enter the hospital, use his smartphone or tablet to access the hospital’s network, do his stuff within that protected environment, then leave the network and check out what the kids are doing on Instagram or order tickets for tonight’s ball game.
As mobile devices and mHealth platforms proliferate, many health systems are taking a new approach to BYOD.
By the same token, a patient or family member could access the hospital’s patient portal for information and resources, such as scheduling and accessing test results, without interfering with clinical services. And a maintenance person or staff member in the cafeteria or laundry could access certain services while being steered clear of other portals.
In some cases, health systems are creating virtual sandboxes that can be installed on a mobile device, segmenting apps that deal with patient data so that they require extra authentication to access. Those apps can also be wiped clean in the event the device is lost or stolen or the user changes jobs.
As mobile devices and mHealth platforms proliferate, many health systems are taking a new approach to BYOD. They’re adopting mobile communications platforms that put enterprise devices in the hands of staff who need them on-site, and using apps to connect clinicians and patients who prefer to use their own devices. All sensitive information is stored in a secure, cloud-based repository, and that data does not rest on any device — enterprise or private.
BYOD and the Internet of Things
While this may seem like a complex arrangement, it’s nothing compared to the healthcare ecosystem of the future. No longer does BYOD relate to just the smartphone, laptop or tablet. With the Internet of Things (IoT) sitting on the doorstep — literally — health and wellness data can now be captured, measured and shared from wearables, home-based devices, enhanced appliances, beds, chairs, toilets, showers, even vehicles and structures.
“The IoT now penetrates to the edge of the physical world and brings an important new ‘physical’ element to security concerns. This is especially true as billions of things begin transporting data,” Ganesh Ramamoorthy, a research vice president at Gartner, said in a 2015 press release. “The IoT redefines security by expanding the scope of responsibility into new platforms, services and directions. Moving forward, enterprises should consider reshaping IT or cybersecurity strategies to incorporate known digital business goals and seek participation in digital business strategy and planning.”
“Ultimately, the requirements for securing the IoT will be complex, forcing CISOs to use a blend of approaches from mobile and cloud architectures, combined with industrial control, automation and physical security,” he said. “However CISOs will find that, even though there may be complexity that is introduced by the scale of the IoT use case, the core principles of data, application, network, systems and hardware security are still applicable.”
“The IoT now penetrates to the edge of the physical world and brings an important new ‘physical’ element to security concerns. This is especially true as billions of things begin transporting data.”
Security considerations aside, health systems will have to configure their medical records platforms to accept information from any number of mobile devices, and to develop a means of parsing that data for validity and accuracy. While the industry has been slow to jump on the consumer-facing wearables bandwagon for just that reason, most experts expect that it’ll only be a matter of time before the fitness wearables and smartwatches start generating data that clinicians want and need.
Likewise, a growing number of connected devices and wearables are generating medical-grade data, independent of any interference from the user. That data already has value to the clinician, if it can be integrated with health records.
So as the BYOD phenomenon evolves, health systems today and in the future must tailor their strategies to accept and protect data. After all, today’s smartphone may very well be tomorrow’s smartglasses or next week’s tricorder.