Mobile devices have become nearly ubiquitous in healthcare organizations, yet many do not have proper safeguards to protect confidential information. A recent report by mHIMSS found that while 97 percent of healthcare organizations use a mobile device to access information, only 38 percent have a mobile technology policy in place. Tim Williams, director of product management for Absolute Software, shares four best practices for managing mobile devices in hospitals and health systems.
1. Define permissible mobile devices. Many hospitals allow employees and physicians to bring in their own mobile devices, such as personal smartphones, iPads and Androids. The first step in managing these devices is to outline which devices are appropriate for the hospital, as certain devices may not be supported by the organization's operating system hardware. "The hospital has a responsibility to determine which devices it is going to allow before it thinks about how to manage them," Mr. Williams says.
2. Develop policies. Before beginning to manage mobile devices, hospitals should also develop clear policies that dictate how the technology can be used in and out of the organization. The policies should address two main aspects of device management: security and asset management — knowing what data resides where and who is using it. Policies should also balance providing employees convenient access to information and maintaining control over documents to prevent a data breach, according to Mr. Williams. For example, one policy may reserve the organization's right to completely wipe an employee's or physician's personal device clean to protect sensitive information. "That may mean you lose your Thanksgiving family photos, but the regulatory requirements outweigh that," Mr. Williams says.
To develop appropriate policies, hospital leaders will need to determine how mobile devices will be used and what protections will be necessary. If hospitals allow employee-owned mobile devices, one concern is the possible transfer of hospital data to the employee's home. If an employee plugs an iPod or iPad with hospital data into a personal computer, the system will synch and backup the data on the home computer, Mr. Williams says. One way to prevent sensitive information leaving the organization is to establish automatic controls over access to data. Mr. Williams says hospitals can set up software that can automatically lock employees and physicians out of the hospital's electronic system at the end of the day at 5 p.m., for instance. Another concern is that because mobile devices are designed for individual use, employees can remove management tools that place constraints on data access. However, the hospital can set up automatic controls that wipe the device if the management tools are removed, according to Mr. Williams.
3. Manage apps. Applications are a key feature of mobile devices, and thus must be included in mobile device management plans. Mr. Williams suggests hospitals consider in-house-developed apps when managing mobile devices, as this can offer tighter control over the data used by the apps. "Having a platform to distribute and control in-house apps needs to be a part of the plan even if [hospitals] are not developing apps right now," he says. Preparing for in-house developed apps now will make it easier for hospitals to integrate those apps in the future if they do decide to develop them.
Hospitals can also blacklist certain apps that they deem threatening to the system, mandate other apps that they believe improve performance and have a list of recommended apps that are optional. Mr. Williams says hospitals can monitor which apps employees have installed. If blacklisted apps are being used, hospitals can automate processes to deny users VPN access to the network, access to company email or the use of other files. "If you feel an app is going to compromise security, you can't wait. If there's a real threat, you need to take real remedial action right away," Mr. Williams says.
4. Integrate mobile device into the overall network. "[You can] only successfully manage those devices if you manage them within your larger network that you already manage," Mr. Williams says. He says that while mobile devices are in some ways quite different from other technologies hospitals use, in other ways they are very similar, because they allow the user to browse the Internet, check email, etc. "Mobile devices are just another growth in the evolution of [the larger IT ecosystem] and what IT people are already responsible for; [they're] just applying it to a new kind of platform."
Learn more about Absolute Software.
Survey: Only 38% of Healthcare Organizations Have Mobile Technology Policies in Place
Organized, Integrated Apps May Drive Physicians' Medical App Use
1. Define permissible mobile devices. Many hospitals allow employees and physicians to bring in their own mobile devices, such as personal smartphones, iPads and Androids. The first step in managing these devices is to outline which devices are appropriate for the hospital, as certain devices may not be supported by the organization's operating system hardware. "The hospital has a responsibility to determine which devices it is going to allow before it thinks about how to manage them," Mr. Williams says.
2. Develop policies. Before beginning to manage mobile devices, hospitals should also develop clear policies that dictate how the technology can be used in and out of the organization. The policies should address two main aspects of device management: security and asset management — knowing what data resides where and who is using it. Policies should also balance providing employees convenient access to information and maintaining control over documents to prevent a data breach, according to Mr. Williams. For example, one policy may reserve the organization's right to completely wipe an employee's or physician's personal device clean to protect sensitive information. "That may mean you lose your Thanksgiving family photos, but the regulatory requirements outweigh that," Mr. Williams says.
To develop appropriate policies, hospital leaders will need to determine how mobile devices will be used and what protections will be necessary. If hospitals allow employee-owned mobile devices, one concern is the possible transfer of hospital data to the employee's home. If an employee plugs an iPod or iPad with hospital data into a personal computer, the system will synch and backup the data on the home computer, Mr. Williams says. One way to prevent sensitive information leaving the organization is to establish automatic controls over access to data. Mr. Williams says hospitals can set up software that can automatically lock employees and physicians out of the hospital's electronic system at the end of the day at 5 p.m., for instance. Another concern is that because mobile devices are designed for individual use, employees can remove management tools that place constraints on data access. However, the hospital can set up automatic controls that wipe the device if the management tools are removed, according to Mr. Williams.
3. Manage apps. Applications are a key feature of mobile devices, and thus must be included in mobile device management plans. Mr. Williams suggests hospitals consider in-house-developed apps when managing mobile devices, as this can offer tighter control over the data used by the apps. "Having a platform to distribute and control in-house apps needs to be a part of the plan even if [hospitals] are not developing apps right now," he says. Preparing for in-house developed apps now will make it easier for hospitals to integrate those apps in the future if they do decide to develop them.
Hospitals can also blacklist certain apps that they deem threatening to the system, mandate other apps that they believe improve performance and have a list of recommended apps that are optional. Mr. Williams says hospitals can monitor which apps employees have installed. If blacklisted apps are being used, hospitals can automate processes to deny users VPN access to the network, access to company email or the use of other files. "If you feel an app is going to compromise security, you can't wait. If there's a real threat, you need to take real remedial action right away," Mr. Williams says.
4. Integrate mobile device into the overall network. "[You can] only successfully manage those devices if you manage them within your larger network that you already manage," Mr. Williams says. He says that while mobile devices are in some ways quite different from other technologies hospitals use, in other ways they are very similar, because they allow the user to browse the Internet, check email, etc. "Mobile devices are just another growth in the evolution of [the larger IT ecosystem] and what IT people are already responsible for; [they're] just applying it to a new kind of platform."
Learn more about Absolute Software.
Related Articles on Mobile Health:
Mobile Health Demonstration Reduces ER Visits, Hospital Stays By 58%Survey: Only 38% of Healthcare Organizations Have Mobile Technology Policies in Place
Organized, Integrated Apps May Drive Physicians' Medical App Use