BYOD in hospitals? The debate rages on
The bring-your-own device strategy has been embraced by businesses because staffers are walking into offices toting tablets and sophisticated handsets.
But is it the right strategy for a hospital, with its expectation for controlling sensitive patient data?
Opinion was mixed Wednesday at the opening of a two-day mobile healthcare conference in Toronto for medical IT personnel.
On one side was speaker Todd Richardson, CIO of Deaconess Health System of Indiana, who dismissed attendees who told him of their policies that forbid non-approved wireless devices on their networks.
"We're going to lose that battle," he told the conference because of pressure from staff. BOYD isn't going away, he said, and with proper procedures security can be ensured.
On the other side was Dr. Khaled El Emam, Canada research chair at the Electronic Health Information Laboratory and associate professor at the University of Ottawa's faculty of medicine, who talked at length about the risks of unsecured wireless devices.
"We haven't lost the battle yet" over BYOD, he said.
While a number of topics were discussed during the day, the conference often turned back to whether hospitals should provide wireless devices for staff to ensure security or open the doors and set up policies to protect data.
Medical and even administrative staff want to use their own devices on a hospital's network for a number of reasons, including trying to cut down on paper and not wanting to carry separate personal and work units. Some like tablets or smart phones because they're not tied to a desk.
But it can be expensive to pay for devices -- especially if they're large tablets. Ottawa Hospital is covering the tab for 3,000 of Apple Corp.'s iPads for doctors and nurses -- plus spent $8 million for custom software so their users can input data directly to its electronic health records system.
On the other hand there are advantages, noted Dale Potter, vice-president and CIO of the institution.
"If you want to have predictable population of people (using tablets or handsets) and enforce this so it becomes part of the workflow, you don't have a choice but to purchase them." BYOD, he said, means devices "dribble in an uncontrolled way."
Cost was one reason why Deaconess, which oversees six hospitals in the Evansville area, decided to let staff bring their own devices, Richardson said. The hospital doesn't have to pay for the devices, support them or worry about "device envy" when some staff get the latest version of a tablet and others don't. And, he said, people take better care of what they own.
Approved users get secure access to the wireless network through Citrix, a common solution several attendees said their institutions use. Security is ensured because no hospital data is downloaded to personal devices. Email is secured through password -protected access Deaconess' Microsoft Exchange server. In addition, the mail goes through Zix Corp.'s ZixMail, which automatically encrypts messages that have delineated sensitive words (such as social insurance numbers).
El Emam outlined a raft of security problems with privately-owned mobile devices that management has to face. One U.S. study showed that half of the data losses of healthcare institutions last year came from the loss of theft or mobile devices, he said.
There are security techniques including using Citrix, forcing users to have password access on the devices, enabling IT for the remote wiping of lost or stolen devices and setting up audit trails.
Make sure there's a formal agreement with users regarding the use of the device and accessing patient data, he said, including a requirement to report immediately the loss or theft of the device.
But he also warned of dangers: Many devices have "backdoors" to their operating systems so they can be serviced by tech staff. Users will have the freedom to download their own apps, which may be a hazard if they "leak" information. "My general perspective is you cannot trust developers," he said. Cloud service providers are another potential security hole.
"If everybody did the basic (security) things we'd be so far ahead," he said. But "if we don't take care of these risks there will be consequences."
Finally, Richardson acknowledged that BYOD may not be right for all health institutions. But, he told attendees, having a mobility strategy is better than not having one at all. "You're better off learning and moving down a path, even if you end up being wrong."
The conference, organized by the Strategy Institute, concludes Thursday.