By Dave Schuette
The bring-your-own-device (BYOD) revolution within today’s enterprises is nothing new, although the complexity of the revolution and its implications within the average business still evolve in a variety of ways. Since 2009, the BYOD movement has helped businesses in all industries cut hardware and software costs. Yet in many cases, it has caused massive headaches for IT teams to secure the way employees access sensitive information from both inside and outside the physical workplace. Even more recently, the proliferation of the Internet of Things (IoT) brings a variety of devices and trackers to the enterprise, introducing greater opportunity for the revolution to evolve. Still, with great opportunity comes great responsibility.
When it comes to BYOD, enterprises in heavily regulated industries, such as health care, must comply with more stringent regulations than ever before. Unfortunately, the BYOD revolution is even more complex in these instances. According to a 2015 study published in the Journal of Hospital Librarianship, roughly 85% of health care professionals bring their own devices to work to utilize their company’s IT network and software.
Clinicians securely access electronic health records (EHRs) from BYOD or hospital-owned devices on a daily basis. For example, a nurse with her own smartphone may discuss patient information with a colleague at one moment (read: a HIPAA red flag) and check a personal e-mail the next. Although seemingly innocent on the surface, this workflow results in IT headaches. It doesn’t matter if we’re referring to a 1,000-bed hospital or a single practitioner’s office, the parameters for BYOD are the same. No matter who owns the device, the hospital or practice is responsible for the data on it and how it’s used. If there’s a liability, the hospital or practice is ultimately accountable.
The financial ramifications alone give hospital chief information officers (CIOs) pause. HIPAA regulations place tighter controls over protected health information, with a hefty penalty of $1.5 million per data breach per incident. In addition to potential fines, data breaches involving lost or stolen smartphones and tablets that contain patient data would require a hospital to notify each patient involved, a costly and labor-intensive task. Other regulations include the 2009 Health Information Technology for Economic and Clinical Health Act and the Federated Identity, Credential, and Access Management—just to name a couple.
Beyond the IT Headache
Given all the regulations, why doesn’t the health care industry banish the BYOD revolution and restrict access to company data with personal devices? The answer is simple: employee productivity and collaboration. Secure applications that support mobile workflows in the workplace enable employees to work faster, provide better service, and make smarter decisions. A survey titled The Financial Impact of BYOD, conducted by Cisco Internet Business Solutions Group, found that the average BYOD user saves between 37 and 81 minutes per week, thanks to using his or her own device in the workplace.
The benefits of BYOD extend beyond productivity as well. A 2015 Spok survey also found that most hospitals that allowed BYOD did so to promote easier communication among members of a care team (52%). Other reasons why it was allowed include workflow time-savings for users (46%), cost savings (40%), response to physician demand (38%), and greater access to patient information (35%).
The problem therein lies with today’s mobility solutions falling flat rather than the BYOD revolution in hospitals. Today’s enterprise mobility management solutions serve simple device management purposes, but they aren’t advanced enough to meet evolving security and productivity needs of hospitals, physicians, and administrators. In fact, a BMC Medicine study recently found that 20% of analyzed health-driven applications did not have a security policy in place, while 66% lacked encryption when transmitting data over the Internet.
To put this into perspective, imagine a physician that sees eight to 10 patients per day, performs surgeries, advises nurses, and takes care of minor administrative responsibilities. He or she rarely spends more than 6 minutes with each patient. This allows minimal time to worry if his or her device authentication is going to work to access the appropriate patient file.
Alternatively, research states that nurses spend approximately 2.5 hours per shift on documentation activities likely indicating mobile usage with electronic medical records (EMR). Two and a half hours of a shift inputting patient data that is not secure could result in a massive problem for the hospital or clinic. We need next-generation mobility solutions to keep patient data secure and employees more productive.
The Next Wave of Mobile Productivity
The mobility solution for hospitals and health care clinics must have a few key ingredients for a successful recipe. All in all, they need to contain an outstanding user experience, be secure, and help employees work productively.
Security: A 2016 endpoint security survey from The SANS Institute found that desktops and laptops were the most compromised endpoint types in a wide range of organizations, from small businesses to large enterprises. Mobile devices, both employee and employer-owned, were also featured prominently, while the most common type of data breach was of login and access credentials, which are commonly found on client devices, and are the gateway to more valuable resources on the network. Hospital data must be encrypted on the device and across the company’s network. IT should start by focusing on:
- Enabling employees to create and share files securely, removing the temptation to use insecure webmail and free cloud file-sharing services
- Two-factor authentication, which helps to prevent breaches from lost or stolen passwords
- Automatically detecting devices that present a security risk because they have been jailbroken, and blocking access from these devices
- Detecting anomalous behavior, such as a single-user’s tablet and phone being used from different locations, and then automatically blocking access until the user has verified his or her identity
Excellent User Experience: Health care professionals should focus on making sure the hospital is running smoothly. Between EMRs and updates like ICD-10, they pull out their hair with complex technology solutions. The same goes for physician organizations and clinics. Mobile solutions must, therefore, be seamless in the following ways:
- Speed: Even the largest e-mail inboxes and contact lists should load as fast or faster than they do in native apps.
- Feature parity with native apps: Hospital employees want to be able to use the built-in device camera for work, use Siri and Google Voice, and attach documents to calendar invites. Let there be integration!
- Not altering the experience with personal apps: Hospital staff should be able to use the device exactly the way they would if the device were not also used for work. For example, corporate password policies should apply only when the device is being used for work.
Productivity Applications
Productivity means more than saving time. Rather, there should be access to an employee’s personal and professional personas across the device. Developed to meet today’s demands for BYOD, dual-persona solutions provide more power, choice, and convenience to the device owner, while helping to protect the corporate workspace. This integration should be seen through baseline applications, such as e-mail, calendars, contacts, notes, soft token distribution, and browsing. Employees also need a secure way to access, create, edit, and share documents—the foundation of workflows in regulated industries.
To conclude, hospital CIOs must recognize that employee-owned smartphones and tablets contribute to productivity and, in turn, better patient care. In the age of IoT devices, the benefits of medical device connectivity cannot be overlooked for the average network, and quality and safety must be preserved. While ensuring the network and its corresponding devices on the front end may take expertise and time to find the right mobile solution, the benefits will far outweigh the initial investment.
Dave Schuette is executive vice president and president of the enterprise business unit at Synchronoss.
