The natural inclination when mentioning BYOD in a healthcare environment is to ask what about the HIPAA compliance. HIPAA can be especially confusing to those of us who work outside of healthcare. Hospitals and other healthcare providers who are interacting with personal or patient health and financial information must maintain end-to-end security over it at all times.
Bring Your Own Device (BYOD) may seem unreachable in a healthcare environment because of The Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, BYOD can thrive in a healthcare environment given the right planning, technology, and healthcare institution/technology provider partnering.
Recently, I had to the chance to speak with three healthcare IT experts about the state of BYOD in healthcare:
Nancy Green, managing principal, healthcare practice, Verizon Enterprise Solutions
Daniel Cane, CEO, Modernizing Medicine
Julee Thompson, chief healthcare executive, Sprint
The pulse of BYOD in healthcare institutions
It’s not millennials or other technology early adopters driving healthcare BYOD in many cases. “We have customers who have been forced by the clinicians,” Green said. Doctors are driving the demand for BYOD, according to Green, and IT is being forced to deal with the resultant security issues. Because doctors bring in revenue for hospitals, it’s natural they have the backing of healthcare administration to push hospitals and healthcare practices to BYOD.
Green said that IT heathcare has obviously changed over the years. “It’s a long way from how IT healthcare once operated when physicians got what they got, and that was it,” she said.
Cloud computing, demands from healthcare practitioners, and better mobile security make BYOD a reality inside hospitals and medical offices.
Prognosis for BYOD in healthcare
“I believe BYOD is achievable in a healthcare environment with certain requirements on behalf of those who want to use their own device,” Thompson said. “One of the challenges of BYOD is maintaining the privacy and security of PHI (Personal Health Information) exchange between covered entities.”
Cane said, “It depends on what you are using the device for. As an example, device security really is the thing most providers and administrators are going to be concerned about with BYOD. If the data isn’t residing on the device, I think it’s a lot easier to have a BYOD environment.”
In my previous research about healthcare IT, virtual desktop infrastructure (VDI) showed itself to be a popular solution for data security. Green and Thompson also brought up VDI as potential mobile security solutions because it keeps PHI off personal devices.
“It’s not just virtual desktops, it’s cloud-based applications,” Cane said. “If healthcare practitioners bring their own devices into a private practice or healthcare setting and connect to a secure cloud-based service than BYOD in a healthcare setting works just fine. If they are bringing their personal device into an environment where accessing a client/server application then the integrity of their device locally can affect the overall security of the entire healthcare system network.”
HIPAA and BYOD
“So in a mobile BYOD environment as a covered entity you have to be able to maintain the privacy and security of that private health information,” Thompson said. This includes whenever the data is being transacted, stored, or transmitted. All must be done in a HIPAA-compliant manner. The key according to the experts I spoke with is about keeping the data off the device an in the cloud or in a VDI environment.
Partnering for BYOD
However, like many other industries, healthcare IT staff are overstretched and need to focus on their core business.
Thompson recommended that healthcare institutions seek out technology partners that can manage their BYOD efforts for them to help ensure security and privacy over PHI and patient financial data.
She encourages healthcare institutions to find a partner that fits their level of tolerance for managing BYOD. Partner services might augment in-house IT staff by supporting the procurement, dispersing, and refreshing of devices within an organization, outsourcing mobile device management and mobile application management.
Thompson recommends that a healthcare organization have a strategy and know their ability to manage the diversity of devices that BYOD can bring into the enterprise prior to bringing in a technology partner.
BYOD is the prescription for healthcare
BYOD in healthcare faces many of the same challenges in other industries. HIPAA raises the stakes because violating HIPAA compliance brings with it significant financial and other penalties. Hospitals and healthcare practices that want to institute BYOD need to find the right mix of compliance tools, management technologies, and partners to ensure the security and privacy of patient’s PHI and financial information while balancing the productivity of the healthcare practitioners in their employ.
By Will Kelly February 10, 2014, 7:48 AM PST