The influx of shared mobile devices is proliferating across practices, health systems and other healthcare organizations. At the same time, providers are combating the epidemic of security and privacy threats, from breaches to ransomware. As enterprises develop a mobile device strategy, it is important to balance the utilitarian nature of the mobile device against the security implications.
A resilient mobile device strategy incorporates multiple success factors: user needs, infrastructure, workflows, security, data, quality measures and more. Applying a holistic approach linking all key elements will support clinicians performing four standard practices:
- Speeding time to treatment
- Expediting care transitions
- Enhancing patient care
- Minimizing HIPAA compliance risk
Security policy and mobile devices work in tandem
Though the healthcare market for networked mobile devices has significantly evolved, it remains in the early stages of readiness. Many U.S. health systems still struggle to implement a mature level of mobility. As mobile device strategies gain ground, enterprises will find patient data spread across more distributed devices, increasing the challenge of mitigating risks and negative effects to patients.
Security remains a top concern in healthcare, as HIPAA and other regulations drive consumer behavior, business practices and governance standards. Even so, countless health facilities experience events of unofficial communication on personal devices. Implementing an effective security policy that balances optimal usage with HIPAA compliance must be a first step. Along with that effort is the ongoing development of security practices to guide daily operations.
Mobile device management hinges on meaningful criteria
According to a June 2017 report by Gartner, mobile device management (MDM) should be “a key requirement for enterprise-owned devices,” but user pushback is growing “around privacy and legal concerns, which are often based on a user’s misunderstandings of MDM’s capabilities.”
MDM — the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers — is vital to controlling access to protected health information (PHI). Moreover, choosing the right MDM system is only part of the battle. An effective MDM deployment across a healthcare enterprise requires collaboration between clinicians and information technology (IT) personnel to foster mutual understanding of clinical needs and IT capabilities.
For most healthcare organizations, devices fall into two categories: Bring your own device (BYOD, typically used by physicians) and shared devices provided by the enterprise. Organizations should tailor the MDM deployment for these two groups differently. For example, more stringent policies can be applied to shared devices than to a physician’s BYOD device.
Proper device selection prevents performance issues
Device performance is second in importance to security in devising your medical device strategy. Mistakes often are attributed to device selection when devices fail to perform well within the clinical environment. Before investing substantial resources, work with vendors to pilot a device prior to making a commitment.
Consider these 14 steps in planning and deployment of an MDM system:
- Do you plan to use the device to access your EHR? If so, determine whether your EHR vendor certifies devices. If so, and the device under consideration is not on the list, request a review to determine if certification is feasible.
- Identify staff members who will require a shared device provided by the organization and the appropriate device requirements, including hardware such as optical scanners or cameras. These requirements can vary based on the user. For instance, a floor nurse may require a scanner and a camera, while a transport person may not. Best practice is to tailor device selection to the user group.
- Research devices designed for an acute care setting. In healthcare, a device should have durability and the ability to be disinfected so it doesn’t become a contributing factor in increased hospital-acquired conditions.
- Pay attention to the device’s product life cycle. It is best to purchase early in the life cycle to maximize the useful life once you deploy the devices.
- If choosing between multiple devices, perform benchmark testing. It is surprising how many enterprise devices have old processors that yield extremely poor performance.
- Determine your Voice Over IP (VoIP) strategy with the device and whether a device supports VoIP. If you are planning to use VoIP, your strategy should accommodate integrating VoIP devices into your voice infrastructure.
- Ask the device manufacturers what specific improvements have been made to their devices to optimize performance on enterprise wireless networks in medical facilities. These environments tend to have a high density of access points, and some devices do not roam well when moving between access points. Users, such as nurses, tend to be very mobile and will cross numerous access points in a short period.
- Test the devices in real-world situations. Important nuances will emerge, such as the ease of typing on a screen under different types of lighting. Identify issues that will present in various areas of the facility, not just at a desk or in a conference room.
- If considering Android devices, pay close attention to the operating system. In some cases the devices have old versions of Android, such as 4.x which is no longer being updated or patched. This can create a security risk. In addition, some manufacturers heavily modify the Android operating system, which could disable some commonly used healthcare applications.
- Whenever possible, do not have PHI stored on devices — configure devices so that they are only a conduit into systems containing PHI, which will help reduce the chance of a breach.
- Conduct a network assessment to ensure a proper infrastructure and successful VoIP rollout. Device and application performance is dependent on a wireless network that provides both adequate coverage and reliable, fast throughput.
- Outline the required resources and training for your IT team to handle deployment and maintenance of your MDM system.
- Consult several references about the device(s) being considered. Conversations with colleagues about their experiences may reveal some wisdom that can help avoid a costly mistake.
- Have a policy in place to deal with theft or loss of a device. For employees who move around through the facility and may misplace a device, encryption of the device and strong passwords should be encouraged.
Choosing the right device(s) has far-reaching consequences. The process includes the expenditure of a meaningful amount of capital and also affects users’ everyday workflow. The overall cost of a device that doesn’t fit well into a user’s workflow will exceed the original purchase price.
Above all, ensure the medical devices have documented proof of improved clinical workflows, enhanced patient care and regulatory compliance. A well-researched decision that accommodates specific needs of various clinical disciplines will yield higher efficiency and productivity, care team adoption and quality care delivery.
Ongoing education sustains mobile strategy success
Security and performance are tied directly to training on system capabilities and security measures. Accordingly, educate clinicians on potential risks and benefits for patients. Here are actionable tips to initiate an effective training and education program:
- Cite documented evidence of how mobile devices improve clinical care.
- Develop flexible opportunities accommodating various learning styles and levels of user experience.
- Encourage clinical leaders to bring colleagues on board to help foster care team adoption, device education and discussion of clinical needs.
- Proactively solicit constructive feedback through a collaborative approach, such as surveys. Ask key questions: Is the technology efficient and useful? Does it match your workflow? Is it too burdensome? How does it help or hinder optimal care delivery? What are your concerns, security or otherwise?
- Listen and take action. Equip end users with tools to succeed.
Clinical and expert feedback supports a holistic approach
While IT maintains a primary role creating an enterprise mobility strategy, clinician participation by doctors, nurses and other care team members is increasing steadily. Their collective input helps uphold a holistic strategy aligned with clinical concerns and workflows. Recruiting experienced privacy, security and compliance experts is advised as well.
With alarming security issues plaguing healthcare, organizations are already looking to outside expertise offering advanced skills and best practices to guide mobility planning and implementation. Emerging trends affirm the need for collaboration among diverse contributing partners as enterprise mobility strategies evolve.
We live in a new and complex world of mobility that demands understanding of mobile devices and security regulations. Healthcare organizations of all sizes must keep pace with technological advances and plan for future needs. Care team members require convenient tools for secure communication and collaboration to coordinate and deliver high-quality care to their patients.