BYOD, policies, text messaging take center stage at ONC roundtable

BYOD may be taking the lead when it comes to mobile device management these days, but hospitals have a variety of different solutions to the security problems it raises.

That's one of the upshots from the ONC's Mobile Device Roundtable last Friday, where federal regulators, hospital executives and IT specialists all gave their perspectives on the state of mobile IT security in healthcare.

I was struck by the variety of options, including:

Network segregation: Altamonte Springs, Fla.-based Adventist Health System, which supports 43 campuses across 12 states, created a segmented network for physicians, allowing them to connect to that network and receive the same basic functionality they get when working from a home PC, Sharon Finney, corporate data security officer for Adventist, said. In a similar way, the University of Alabama Health System set up a special portal for referring physicians, to allow them access to files when onsite, or working with a UAB physician, but only so long as they enter through the dedicated portal, explained Terrell Herzig, the system's information security officer.

Self-policing: Pocatello, Idaho-based Portneuf Medical Center allows personally owned devices, and requires users to sign a contract for securing and using their device on the hospital network, including having a passcode on the device at all times, according to speaker Jacob DeLaRosa, chief of the hospital's cardiothoracic services.

Third-party data management, a.k.a., the cloud: Christopher Tashjian, a physician and president of the River Falls, Ellsworth & Spring Valley Medical Clinics in Wisconsin, prefers to let an application service provider (ASP) manage his data, allowing him to access it, but not store it locally. This solves most of his security issues, he said.

While the speakers had different methods of securing data, most seemed to agree on the need to be device-agnostic, supporting multiple device types, regardless of ownership. The topic came up repeatedly, with majority agreeing it's the way to go.

"We're taking a container-based approach," Finney said. "We want to deliver a set of services. We want to secure the data, not the device."

Other speakers said that unified messaging systems, with secure channels, definitely are the way that in-hospital direct communications is moving.

One of the most troubling revelations at the meeting, though, echoed by industry reps and regulators alike, was the continuing trend of hospitals enabling mobile devices without strong security policies in place. Lisa Gallagher, privacy and security director for the Healthcare Information and Management Systems Society, said the group's most recent data shows a majority of hospitals, if they write a policy, don't update or revise it.

It shouldn't just be "a policy on the shelf," Gallagher said. "[Providers should] use it to help clinicians understand what they need to do [about security] in their workflow." - Sara