Session 125: A Health IT Executive’s Guide To BYOD Management Ken Congdon, Editor In Chief, Healthcare Technology Online
Conflict of Interest Disclosure
Ken Congdon, BA Journalism
Has no real or apparent
conflicts of interest to report.
Learning Objectives
• Recognize potential BYOD challenges
• Propose policies and best practices to effectively
manage BYOD practices
• Justify the practice of BYOD in your healthcare
facility
• Evaluate technologies used for effective BYOD
management
The BYOD Ship Has Sailed
• 80% of physicians own
tablet devices
(HIMSS Health IT 2012)• 70% of smartphones belong
to users
(Forrester Research)• 65% of tablets belong to
users
(Forrester Research)• 59% of employees use
mobile devices to run line of
business applications
(SymantecThe BYOD Ship Has Sailed
• Employees driving the BYOD trend because:
– They want faster, newer, higher performing devices than their employer provides
– Need to access data from multiple locations (office, hospital, clinic, home, etc.)
IT Attitudes Toward BYOD
• IT concerns:
– Patient data security
– Virus/malware protection
– Software license management – Mobile Device
Management/Application Management
– Intellectual property protection – Loss prevention
IT Attitudes Toward BYOD
• Mobile malware rose 155% in 2011
(Juniper Mobile SecurityReport 2011)
• Draconian BYOD controls unlikely to work
– 37% of employees use noncompliant devices on corporate networks before formal permissions or
IT Attitudes Toward BYOD
• 85% of hospital IT departments allow doctors
and staff to use personal mobile devices at work
(2012 Aruba Networks Survey)
• 86% of hospitals have some kind of BYOD
policy in place/31% have full BYOD
(KLAS 2012 Report –Mobile Applications: Can Enterprise Vendors Keep Up?)
• 70% of hospitals use mobile devices to access
EHR data
(KLAS 2012 Report – Mobile Applications: Can Enterprise Vendors Keep Up?)IT Attitudes Toward BYOD
• In survey of our readership, Mobile/Tablet Computing ranked as our #4 health IT trend, yet BYOD
Management ranked #32
• 47.4% ranked Mobile/Tablet Computing a “Top Priority” or “Priority”
IT Attitudes Toward BYOD
• Only 9% of organizations are “fully aware of the
devices accessing their network
(2012 SANS Annual Mobile Security Survey)• Only 24% of personally-owned smartphones (21%
of tablets) can be remotely wiped
(Osterman Research)• Only 10% of personally owned smartphones (9% of
tablets) can be scanned for malware
(Osterman Research)• 29% of organizations do nothing to manage
BYOD Benefits
• When implemented
correctly, a BYOD strategy
can provide a healthcare
facility with several benefits:
– Employees are more efficient – Organizational costs can be
reduced
– Improved employee satisfaction
BYOD – A Winning Strategy
• Policies must be developed before it’s too late
• Interactions between internal systems and devices
must be secure
• It has to be easy to adopt and achieve compliance
• It must allow for coexistence of personal/corporate
functionality (apps and data)
• It must be capable of evolving with evolution of
devices
• Ownership and financial reimbursement must be
clear
BYOD Best Practices –
1. Policy Before Technology
• Policy outlines acceptable use • Should not be created in an IT
vacuum • Key considerations: – Device/OS support – Security measures – Compliance requirements – Application support
– Corporate system access – Personal privacy guidelines – Reimbursement strategy
BYOD Best Practices –
2. Secure Data End-To-End
• Strong BYOD security policies – ensure data security at the end point, middle, and data center
• Access controls/user certification
• Methods providers use to protect mobile data (KLAS Research 2012 Mobile Applications: Can Enterprise Vendors Keep Up?):
– Virtualization (52%) – Encryption (46%) – MDM Software (35%) – Limit Devices (12%) – Internal Cloud (11%) – Limit OS (6%) – External Cloud (5%)
BYOD Best Practices –
2. Secure Data End-To-End
• Limit corporate data/PHI that can be stored on mobile devices
• Disable moving emails
• Continuous device monitoring & alerts
– Unauthorized devices attempting to access network – Root/jailbroken devices
– Unsecure applications – Encryption enforcement
• All mobile devices must be able to be wiped remotely by an administrator
BYOD Best Practices –
3. Ensure User & IT Simplicity
• Enroll devices in bulk
– Basic authentication (e.g. Active Directory/LDAP) – New devices quarantined & IT notified
– Enrollment controls/customized user eligibility
• Application/update push
– Application server
• Embed self-service capabilities
BYOD Best Practices –
4. Separate Corporate & Personal Data
• Keep personal data personal:
– Personal emails, contacts, calendars – Application data
– Text messages
– Call history & voicemails – Personal photos & videos – Location indicators
• Let users know what data will be collected by
corporate and how it benefits them
BYOD Best Practices –
4. Separate Corporate & Personal Data
• Corporate apps, documents, data, etc. must be
protected by IT
• Use mobile synchronization software to push
settings to devices and enforce policies
• Provide ability to conduct “selective wipes” on
personal mobile devices
• Build employee trust while minimizing mobile
distractions
Potential BYOD Challenges
• Forced device encryption
• Keeping up with changing mobile device
ecosystem
• Implementing security protocols without affecting
the user experience
Technologies To Promote BYOD Success
• Wireless networking/VPN
• Encryption
• Virtualization
• Certification/Authentication
• Mobile Device Management (MDM) software
• Personal/Business profile management
BYOD Success Stories –
1. Western Maryland Health System
• Located in Cumberland, Maryland, but serves folks in WV and PA (rural area)
• Affiliated physicians demanded access to their practice EMR systems while at the hospital
• 4 to 5 different ambulatory EMRs in use
• Couldn’t accommodate everyone with VPNs
• Opted for a BYOD Wi-Fi solution where ambulatory EMRs can be accessed via Citrix
BYOD Success Stories –
1. Western Maryland Health System
• Physicians can compare notes in their EMR with data in MEDITECH (the hospital’s EHR)
• Physicians can dictate notes into MEDITECH using their mobile device and Dragon
• No PHI stored locally on devices • Shared-key access (monitored)
• Wireless users cannot communicate with other wireless users
BYOD Success Stories –
1. Western Maryland Health System
• Restrictive as to who gets access to corporate
resources
• BYOD Benefits:
– Improved patient care
– Accelerated EHR adoption
BYOD Success Stories –
2. Resources For Human Development
• Nonprofit social service organization
in Philadelphia
• Instituted a BYOD strategy to control
costs
• Conducted internal survey that
showed that 90% of employees
owned their own smartphones
• Desire among employees to carry
only one device
BYOD Success Stories –
2. Resources For Human Development
• Decided to leverage these personal
devices
• Implemented MDM to separate
personal and corporate data and
provide monitoring, blocking, and
wiping capabilities
• MDM transparent to users, but must
agree to have it installed
• Device encryption, auto-locking, and
anti-malware also required
BYOD Success Stories –
2. Resources For Human Development
• No data stored on devices (virtualized
desktop for EHR apps)
• Provides stipend to encourage BYOD
use
• BYOD Benefits:
– Employee satisfaction
– Device costs cut by more than half – Secure (Since implementation two to
three dozen devices were lost or stolen, but no data was lost)
BYOD Success Stories –
3. Yale New Haven Health System
• Connecticut’s leading healthcare
system with four healthcare delivery networks and more than 1,500
licensed beds
• Over the past two years mobile
device use has grown by more than 400%
• Embraces BYOD, but also issues corporate devices
• Initially supported all devices, but now provides a list of recommended
BYOD Success Stories –
3. Yale New Haven Health System
• Leverages virtualization
technology to ensure no data is
stored on devices
• Leverages MDM for app
deployment, loss prevention,
centralized administration, mobile
device visibility
• Results = Marked productivity
increases, cost savings, 99.999%
uptime
Thank You!
Ken Congdon Editor In Chief
Healthcare Technology Online www.HTOinfo.com
ken.congdon@jamesonpublishing.com
Twitter: @KenOnHIT