Session 125: A Health IT Executive s Guide To BYOD Management Ken Congdon, Editor In Chief, Healthcare Technology Online (DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.)
Conflict of Interest Disclosure Ken Congdon, BA Journalism Has no real or apparent conflicts of interest to report. 2013 HIMSS 2
Learning Objectives Recognize potential BYOD challenges Propose policies and best practices to effectively manage BYOD practices Justify the practice of BYOD in your healthcare facility Evaluate technologies used for effective BYOD management 3
The BYOD Ship Has Sailed 80% of physicians own tablet devices (HIMSS Health IT 2012) 70% of smartphones belong to users (Forrester Research) 65% of tablets belong to users (Forrester Research) 59% of employees use mobile devices to run line of business applications (Symantec State of Mobile Computing Survey) 4
The BYOD Ship Has Sailed Employees driving the BYOD trend because: They want faster, newer, higher performing devices than their employer provides Need to access data from multiple locations (office, hospital, clinic, home, etc.) 5
IT Attitudes Toward BYOD IT concerns: Patient data security Virus/malware protection Software license management Mobile Device Management/Application Management Intellectual property protection Loss prevention 6
IT Attitudes Toward BYOD Mobile malware rose 155% in 2011 (Juniper Mobile Security Report 2011) Draconian BYOD controls unlikely to work 37% of employees use noncompliant devices on corporate networks before formal permissions or policies are instituted (Fifteen Mobile Policy Best Practices, Forrester Research, 2011) 7
IT Attitudes Toward BYOD 85% of hospital IT departments allow doctors and staff to use personal mobile devices at work (2012 Aruba Networks Survey) 86% of hospitals have some kind of BYOD policy in place/31% have full BYOD (KLAS 2012 Report Mobile Applications: Can Enterprise Vendors Keep Up?) 70% of hospitals use mobile devices to access EHR data (KLAS 2012 Report Mobile Applications: Can Enterprise Vendors Keep Up?) 8
IT Attitudes Toward BYOD In survey of our readership, Mobile/Tablet Computing ranked as our #4 health IT trend, yet BYOD Management ranked #32 47.4% ranked Mobile/Tablet Computing a Top Priority or Priority Only 26.6% ranked BYOD a Top Priority or Priority 9
IT Attitudes Toward BYOD Only 9% of organizations are fully aware of the devices accessing their network (2012 SANS Annual Mobile Security Survey) Only 24% of personally-owned smartphones (21% of tablets) can be remotely wiped (Osterman Research) Only 10% of personally owned smartphones (9% of tablets) can be scanned for malware (Osterman Research) 29% of organizations do nothing to manage applications on BYOD end points (Juniper Mobile Security Report 2011) 10
BYOD Benefits When implemented correctly, a BYOD strategy can provide a healthcare facility with several benefits: Employees are more efficient Organizational costs can be reduced Improved employee satisfaction 11
BYOD A Winning Strategy Policies must be developed before it s too late Interactions between internal systems and devices must be secure It has to be easy to adopt and achieve compliance It must allow for coexistence of personal/corporate functionality (apps and data) It must be capable of evolving with evolution of devices Ownership and financial reimbursement must be clear 12
BYOD Best Practices 1. Policy Before Technology Policy outlines acceptable use Should not be created in an IT vacuum Key considerations: Device/OS support Security measures Compliance requirements Application support Corporate system access Personal privacy guidelines Reimbursement strategy 13
BYOD Best Practices 2. Secure Data End-To-End Strong BYOD security policies ensure data security at the end point, middle, and data center Access controls/user certification Methods providers use to protect mobile data (KLAS Research 2012 Mobile Applications: Can Enterprise Vendors Keep Up?): Virtualization (52%) Encryption (46%) MDM Software (35%) Limit Devices (12%) Internal Cloud (11%) Limit OS (6%) External Cloud (5%) 14
BYOD Best Practices 2. Secure Data End-To-End Limit corporate data/phi that can be stored on mobile devices Disable moving emails Continuous device monitoring & alerts Unauthorized devices attempting to access network Root/jailbroken devices Unsecure applications Encryption enforcement All mobile devices must be able to be wiped remotely by an administrator Data prioritization/optimization 15
BYOD Best Practices 3. Ensure User & IT Simplicity Enroll devices in bulk Basic authentication (e.g. Active Directory/LDAP) New devices quarantined & IT notified Enrollment controls/customized user eligibility Application/update push Application server Embed self-service capabilities Security can t impede usability & care quality 16
BYOD Best Practices 4. Separate Corporate & Personal Data Keep personal data personal: Personal emails, contacts, calendars Application data Text messages Call history & voicemails Personal photos & videos Location indicators Let users know what data will be collected by corporate and how it benefits them 17
BYOD Best Practices 4. Separate Corporate & Personal Data Corporate apps, documents, data, etc. must be protected by IT Use mobile synchronization software to push settings to devices and enforce policies Provide ability to conduct selective wipes on personal mobile devices Build employee trust while minimizing mobile distractions 18
Potential BYOD Challenges Forced device encryption Keeping up with changing mobile device ecosystem Implementing security protocols without affecting the user experience ediscovery 19
Technologies To Promote BYOD Success Wireless networking/vpn Encryption Virtualization Certification/Authentication Mobile Device Management (MDM) software Personal/Business profile management 20
BYOD Success Stories 1. Western Maryland Health System Located in Cumberland, Maryland, but serves folks in WV and PA (rural area) Affiliated physicians demanded access to their practice EMR systems while at the hospital 4 to 5 different ambulatory EMRs in use Couldn t accommodate everyone with VPNs Opted for a BYOD Wi-Fi solution where ambulatory EMRs can be accessed via Citrix 21
BYOD Success Stories 1. Western Maryland Health System Physicians can compare notes in their EMR with data in MEDITECH (the hospital s EHR) Physicians can dictate notes into MEDITECH using their mobile device and Dragon No PHI stored locally on devices Shared-key access (monitored) Wireless users cannot communicate with other wireless users 22
BYOD Success Stories 1. Western Maryland Health System Restrictive as to who gets access to corporate resources BYOD Benefits: Improved patient care Accelerated EHR adoption Enhanced physician satisfaction 23
BYOD Success Stories 2. Resources For Human Development Nonprofit social service organization in Philadelphia Instituted a BYOD strategy to control costs Conducted internal survey that showed that 90% of employees owned their own smartphones Desire among employees to carry only one device 24
BYOD Success Stories 2. Resources For Human Development Decided to leverage these personal devices Implemented MDM to separate personal and corporate data and provide monitoring, blocking, and wiping capabilities MDM transparent to users, but must agree to have it installed Device encryption, auto-locking, and anti-malware also required 25
BYOD Success Stories 2. Resources For Human Development No data stored on devices (virtualized desktop for EHR apps) Provides stipend to encourage BYOD use BYOD Benefits: Employee satisfaction Device costs cut by more than half Secure (Since implementation two to three dozen devices were lost or stolen, but no data was lost) 26
BYOD Success Stories 3. Yale New Haven Health System Connecticut s leading healthcare system with four healthcare delivery networks and more than 1,500 licensed beds Over the past two years mobile device use has grown by more than 400% Embraces BYOD, but also issues corporate devices Initially supported all devices, but now provides a list of recommended devices 27
BYOD Success Stories 3. Yale New Haven Health System Leverages virtualization technology to ensure no data is stored on devices Leverages MDM for app deployment, loss prevention, centralized administration, mobile device visibility Results = Marked productivity increases, cost savings, 99.999% uptime 28
Thank You! Ken Congdon Editor In Chief Healthcare Technology Online www.htoinfo.com ken.congdon@jamesonpublishing.com Twitter: @KenOnHIT (814) 897-9000 ext. 231 29