Bring-your-own-device implementations are forcing health IT leaders to reconcile seemingly opposite objectives: tightening security to meet HIPAA compliance mandates going into effect this fall, while opening up systems to personal smartphones and tablets employees want to use on the job.
Enabling those devices and their simple operating systems to interface with complex back-end data systems tracking federal EHR meaningful use criteria also is a puzzle they must solve.
Bring your own device is reality. You don’t have a choice; you can’t bury your head in the sand and say, ‘No, you can’t do it.’
vice president of privacy and information security, UPMC
Such were the results from 240 respondents to SearchHealthIT’s annual mobile health survey, which represented a mix of mostly providers, including ambulatory and inpatient healthcare IT staffers. More than two-thirds (68%) indicated mobile health devices are a part of their organization’s ongoing IT strategy. More than half (51%) of total respondents said a range of 100 to 1,000 devices will be on their networks by the end of the year with a mix of tablets (81%) and smartphones (70%) overwhelmingly named as the highest-priority implementations, followed by laptops, telemedicine technology and medical devices.
A majority (58%) also said they are increasing budgets to accommodate mobile health integration plans. Almost two-thirds of the time (61%) those plans are drawn up by multidisciplinary teams, including clinical, IT and executive staff.
Some 37 IT staffers at payers also contributed responses to the survey. Several large payers are launching mobile health services, including Aetna Inc. Martha Wofford, vice president and head of Aetna’s mobile initiative CarePass, said the back-end implementation took much attention to data systems interoperability, as well as securing data for HIPAA compliance. The end result: A mobile portal that aggregates data from popular personal health apps such as FitBit, RunKeeper and Jawbone, and also serves as a healthcare provider directory and an appointment-booking tool that plugs into provider practice-management systems.
Aetna rolled out the system, which is available to non-customers as well policyholders, to increase brand mindshare as health insurance exchanges roll out in the wake of the Affordable Care Act (ACA). Wofford said Aetna chose a mobile platform because of its growing adoption among patients and providers alike.
The provider directory and booking tool takes advantage of mobile device-specific features, keyed to symptoms the patient enters into iTriage, one of the apps Aetna acquired and merged into CarePass. “We’re really trying to make that access point easier for people on the go,” Wofford said.
Many organizations are supporting multiple operating systems, with Apple iOS (82%) and Android (68%) leading the way, and Windows Mobile (54%) making a significant showing as well. Less than one-third (32%) of respondents indicated BlackBerry as a supported operating system. Regardless of whether mobile devices are provided by employer or employee, respondents’ issues included securing them, connecting them to EHR systems and application management.
Infrastructure and support are needed to integrate mobile devices in provider IT environments, respondents also said. Data encryption is number one (71%), followed closely by authentication of devices. Clearly many networks are supporting both employee- and employer-owned devices, as 68% of respondents said they were adding back-end authentication of personal devices and 53% said they were improving authentication of company-owned mobile devices. The other infrastructure pieces respondents are adding include wireless access points (53%) and unified wired/wireless access systems (45%).
As meaningful use moves into stage 2, as the updated HIPAA omnibus rule goes into effect, and ACA quality reporting initiatives come online, respondents couldn’t pick which one impacted mobile device implementations most. Nearly two-thirds (62%) simply indicated, “All of the above.”
HIPAA security requirements, however, will impact BYOD implementations. John Houston, vice president of privacy and information security at UPMC, said despite the tightening HIPAA security mandates, the BYOD movement in healthcare can’t be stopped. IT leaders can only hope to contain it with well-reasoned, intelligently implemented policies and technologies. One example: To receive email from the health system on your own smartphone you must use Microsoft ActiveSync as UPMC sets it up with password rules and automatic timing out after a certain period of time.
“Bring your own device (BYOD) is reality. You don’t have a choice; you can’t bury your head in the sand and say,’No, you can’t do it,'” Houston said. “So what we’ve tried to do is work with vendors and make sure we have the appropriate technology in place to support [BYOD].”
Houston added: “But I look at bring-your-own-device issues really, very simply. We’re going to develop common criteria; here’s what we expect of you if you want your device to work. If you can comply with those requirements, you can use your device. If you don’t want to use your device or you can’t comply, you can’t use your device on our network.”