Connected Health 2015: Penn Medicine BYOD policy balances data protection, user privacy

When developing a bring-your-own-device policy, Penn Medicine had to respond to the need for seamless integration between professional and personal use of the tools, according to Neha Patel, M.D., director of mobile strategy and applications.

The Philadelphia-based health system needed to ensure that patient and hospital information on the device was secured, but also that employees had the peace of mind that their own information wouldn't be accessed by the health system, Patel said during this week's Connected Health Conference in Maryland.

"We wanted to manage and minimize mobile risk," she said. "These devices are small, they can get lost or stolen, and we have a lot of Penn Medicine corporate data in the apps."

When a health system starts thinking about a BYOD policy, it needs to figure out how to balance information protection with personal user privacy, Patel said.

"One goal that every institution should have is that information protection requirements must remain consistent throughout the spectrum, regardless of who is financially responsible for that smartphone," she said. "You don't want any grey lines, like 'because yours is a personal device, it's OK if your data isn't protected as much as we protect corporate-assigned phones.'"

At Penn Medicine, people who wanted to use their own phones were especially protective about their personal texts and pictures, Patel said.

To solve that issue, the health system looked to containerization, where personal apps could be separated on a device from corporate ones through the mobile device management system. That allows the enterprise to have complete control of the business apps, but no access to personal apps, Patel said.

While containerization has many strengths, it also has a lot of weaknesses, she said.

One, for instance, is that users don't like having to switch between the container and main user screens. Administrators were especially against this function, because they didn't separate work apps from personal apps. However, Patel said, clinicians preferred having their personal and corporate lives on their phones separate.

"They liked the idea of going home and thinking 'My work apps remain my work apps, and my personal phone is my personal phone,'" she said.

The containerization option was an added cost, but "financially, we thought that was beneficial when you compared the risk" of having a device be compromised," Patel said.