Mobile devices are a significant part of health IT infrastructure as users look for the most convenient ways to use devices to treat patients. Building a healthcare mobility solution is key to ensuring the devices are fully supported and functioning properly.
Mobile devices allow clinicians to have the tools they need at their fingertips whether they are operating in a primary care, ICU, or emergency setting. Mobile devices reduce the time it takes to retrieve data and communicate with team members, which can potentially save a patient’s life.
“Healthcare organizations are looking to modernize what they're doing in their infrastructure,” said Red Hat Director of Healthcare Craig Klein. “They're also looking at how to make themselves more agile. Looking at all the changes that have happened that are happening in healthcare, organizations need to figure out a way to be able to stay as flexible as they possibly can.”
However, users can’t just fire up a mobile device, connect to the network and begin accessing healthcare apps and patient data. Organizations need to have a solid mobile strategy in order to successfully deploy mobile devices and ensure that they are being used properly.
“Look at how physicians and nurses capture information and bring the information back in,” Klein explained. “A lot of these technologies revolve around mobile and the ability to have this information at their fingertips. That's a big upside in mobile that’s why we're seeing a lot of adoption.”
Before organizations deploy mobile devices, they need to consider what they are using the mobile devices for, which devices will be supported, and how to ensure all networked devices are secure and HIPAA compliant.
How will mobile devices contribute to the organization?
A successful mobility strategy should start by assessing the foundational devices for clinicians and administrators: smartphones, tablets, and laptops.
These mobile devices give clinicians access to the tools and information they need at the point of care. Smartphones, tablets, and laptops provide instant access to communication with staff around the facility.
Before mobile devices were introduced at the point of care, clinicians had to use stationary computers to access this information. If they were treating a patient and needed to consult certain resources and there was not computer in the room, the clinician would have to leave their patient.
EHRs, clinical decision support systems (CDSS), and picture archiving communication systems (PACS) are now often available at the point of care through mobile devices.
Mobile devices give clinicians access to other medical resources that can be consulted at the point of care such as medical calculators, drug references, and clinical care guidelines.
Entities are also integrating mobile Internet of Things (IoT) devices into their network, which adds to the challenge of creating a roadmap.
IoT devices include monitoring devices that collect and share patient generated health data (PGHD) with the network, as well as many bedside monitoring devices and telemedicine tools.
Entities need to decide which, if any, IoT devices they wish to support and then lay out a strategy for accommodating the influx of connected devices. Cellular networks may be required for IoT devices to prevent bottlenecks in the WiFi network. It also allows the devices to be truly mobile because they are mostly used outside the facility.
Organizations need to consider the network infrastructure impact of these devices before they include them in their mobile strategy. Entities must be able to support necessary network upgrades and changes to ensure all devices are connected reliably and securely.
Structuring device support, control and ownership to maximize benefits
Over the past decade, the consumerization of IT affected user expectations of mobile devices, especially those that they have not chosen themselves.
Users don’t want to be stuck with a device that doesn’t perform as well as their personal one. However, supporting all the devices users want isn’t always realistic. Users also tend to not want to carry more than one device for personal and professional use.
Organizations have several strategy options for the devices they support:
Company-owned, business only (COBO): The organization chooses the device for the user and it can only be used within the organization. No personal data is allowed on the device. Entities may see this as a more secure option, but users often don’t like to carry two devices. User dissatisfaction can lead to shadow IT.
Company-owned, personally enabled (COPE): The organization issues a device that it chooses and pays for. The user can use the device for personal data, but certain apps may be blacklisted because of security concerns. The organization has full control over the device which is secure and compatible with the network, but users may be concerned about personal privacy because their employer’s IT department has full access to the device.
Choose your own device (CYOD): Users have the option of choosing among pre-approved devices. The user owns the device, but it is able to be easily secured and integrated into the network. Privacy is less of an issue with CYOD because the user owns the device. CYOD is also only effective if the organization actively updates their list of preapproved devices.
Bring your own device (BYOD): Users bring their personal device to use for corporate data. BYOD saves organizations money because they don’t have to invest in mobile devices, but IT has less control over how the user uses the devices in their personal lives. They can download suspect or unsupported apps which can compromise PHI stored on the device. Shadow IT is also common with BYOD devices.
Choosing which operating systems (OSes) to support may simplify this decision. Mobility management platforms can help providers manage multiple types of device OSes, but organizations may face compatibility obstacles when working with disparate OSes such as iOS and Android. Additional staff may be needed to ensure that all OSes are supported.
Entities need to consider their available IT resources and how much control they can realistically give users over their devices. Users will almost always find a way to work around things they don’t like. If they are unsatisfied with a company-issued device, they are more likely seek alternative ways to access data, threatening the network with shadow IT.
Shadow IT is one of the most prominent threats to patient healthcare data because it often goes undetected unless the IT department has tools in place to flag and prevent the unauthorized use of third party apps and devices.
Shadow IT is when users access protected health information (PHI) on an unauthorized personal device or third-party application. Outdated and unsupported apps on personal devices can potentially infect the network if the user accesses corporate data.
Users may opt for third-party apps such as Dropbox and Google Drive if they are unhappy with the performance, layout, or lack of apps provided by an organization.
Many employees tend to view IT policies and procedures as barriers that block greater efficiency in the workplace, said Travelers VP Chief Underwriting Officer Mike Thoma.
“Employees seek alternative workarounds unapproved or non-vetted software or develop independent programming,” he said.
“Organizations need to understand why employees are using shadow IT and look for opportunities to help improve efficiency” Thoma advised. “Shadow IT can definitely have a negative consequence, but shadow IT can also have a positive impact.”
Finding a balance between too much control and too little control is key. Organizations may end up spending more money on staff and tools to monitor COBO and COPE devices. Entities may also choose a BYOD or CYOD option in an attempt to cut back costs and end up with a security issue because their mobile security infrastructure was not meant to handle devices with lower security settings.
Entities need to examine their IT infrastructure resources and determine which option is realistic for their resources and the level of security they need for their data.
Managing applications in an increasingly mobile environment
Web applications that are built for desktops are often unusable on mobile devices because they are not built to be swiped and tapped on a touchscreen. Web apps aren’t always meant to be used on smaller devices, either, making them difficult or even impossible to use.
Buttons may be too small and some features have no support whatsoever, rendering them useless to mobile users.
Developers can sometimes redesign desktop apps to suit the needs of mobile users via a process called app transformation, but this is generally used as a temporary stopgap. App transformation allows a developer essentially to “draw” a mobile interface over a desktop app, but this may result in usability issues.
The usability of an app will ultimately determine its success. Similar to consumer apps, users tend to open most professional apps once and then never use them again. Healthcare organizations cannot afford to waste time and money on adopting an app that isn’t used appropriately.
“If the user experience is in any way poor, even the best designed BYOD platforms will fail,” said HealthITSecurity.com contributor Bill Kleyman. “When creating a mobile workforce or BYOD strategy, start with the end-user. Conduct ‘day in the life’ scenarios where you learn how people interact with their digital tools. From there, design around the experience to make it intuitive and easy.”
Designing mobile applications that meet the needs of users isn’t just about creating a sleek interface, however. And spending too much time on tweaking the front-end could leave entities with serious security holes or integration issues.
Using “citizen developers” for the front-end can increase the app’s usability. The app user can design the front-end and tailor it based on the features that are going to allow improved workflow. Tools such as low-code app development platforms allow other IT staff or app users to help develop mobile applications.
Low-code platforms assist healthcare organizations in developing apps that clinicians want to use, and allow organizations to produce multiple apps quickly because they do not need to be built from scratch.
Addressing mobile device security
Mobilizing an environment comes with significant security concerns. Many applications require users to access protected health information from outside the confines of fully wired and secured machines, which could pose threats to network security.
A BYOD solution can be especially daunting because IT has limited control over the devices.
HHS explains technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
The HIPAA Security Rule doesn’t require specific technology solutions, but it does suggest that organizations implement “reasonable and appropriate” security measures for their daily operations.
“HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan,” the agency says.
“Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.”
According to HealthITSecurity.com, if an organization chooses to implement a BYOD policy, they would need to deploy the proper mobility management solution that ensures the devices are HIPAA compliant.
Entities need to listen to users and consider what they want out of their mobile experience. This helps users understand their environment better and realize what security risks they can potentially pose by not following the mobile policy built for them.
Employee education helps organizations establish strong security beyond the basics of firewalls and other infrastructure security solutions. Employee education needs to be a part of a successful mobile strategy.
Infrastructure options for managing mobile strategy
IT administrators need network visibility in order to control their mobile network. Network visibility allows IT staff to know when and how connected medical devices are communicating with the network and where improvements can be made.
Network visibility gives healthcare organizations control over their networks and the devices connected to them.
“There are so many different connected device now inside of a hospital environment that other markets don’t have to deal with,” said Director of Healthcare Solutions at Extreme Networks Bob Zemke.
“We have to think in terms of not just the connectivity of these machines and these devices but what are they doing on the network? How are they behaving? And that's a struggle for most hospitals today it's not just making sure it's connected but in terms of security and compliance and patient safety.”
According to Zemke, network visibility and control are key to a successful network infrastructure that includes mobile devices. Visibility is the most-requested feature during any infrastructure upgrade intended to support more devices.
Enterprise mobility management (EMM) is also viable option for managing a mobile strategy. EMM solutions can cover COBO, COPE, CYOD, and BYOD strategies and ensure that all devices are adhering to established privacy and security protocols.
EMM manages the physical device, its applications, how the device stores and delivers content, and who is access the device and how. These capabilities provide organizations with end-to-end security for the devices and the data they access.
Healthcare organizations must understand what they need out of mobility and establish a strategy before launching any devices onto the network. Understanding what devices will be mobilized, what kinds of devices will be supported, and how to reconfigure applications is a critical foundation to a successful mobile strategy.
Once those fundamental decisions are made, organizations can begin to set their mobile strategy into motion.