Skip to late 2010, just a little more than two years ago, when mature smartphones and early iPads and other small tablet devices really started to explode in popularity and functionality. As the mobile market grew, the devices quickly became status symbols, particularly in the physician community, says Ojas Rege, vice president of strategy at mobile security vendor MobileIron, Mountain View, Calif. Health care organizations had a variety of devices coming into their facilities. Security risks ensued. It wasn't clear how they could control data access and security on the devices.
The health care industry is far more open than other industries, with far more "free agents," since physicians often have privileges at multiple hospitals. Consequently, a physician may have a smartphone accessing apps and data from more than one hospital and also have personal data on the device.
Further, physicians may want certain functionality. They may buy an app that offers the functionality or contract with a local developer to build it-and not tell the hospital. Having security built into apps is critical to health care organizations, but not to developers. For instance, it wasn't until quite recently that native encryption came with Android devices. Another consideration: When developers are writing an app for an iPhone or iPad, there is an API, or application programming interface, for a second level of encryption. But if developers aren't told to use the second level, they won't, Rege contends. They are focused on the platform, not application security. Consequently, whether an app is bought from a local or national shop, a developer is a contractor. After the purchase, the developer has disappeared, leaving the unknown, potentially unsecure app in place at the hospital. As a result, policy and design rules on how apps are built and what organizational data should be in a device have become necessary.
These factors set the stage for mobile device management software. It gives organizations centralized control over what I.T. devices are coming onto their premises and what those devices can and cannot do. MDM started with basic tools-enforcing passwords and encryption, and wiping data from lost devices. It has evolved to a centralized management platform across an enterprise, Rege says. "The device, user and app will change, but it's all about the data."
Talk to five mobile data security professionals and you'll get five descriptions of what mobile device management is. Taken together, a well-rounded explanation of how MDM works emerges:
Rege: "Mobile device management configures the device and apps, protects the data, separates professional and personal data, and at the end of a session removes the professional data."
Alan Dabbiere, chairman of mobile device security firm AirWatch: "Think of what functions the Blackberry management console has, and combine it with what remote desktop management does for imaging, application setup and confirmation management. That's what we're doing."
Jim Shellhamer: technical systems analyst, Lehigh Valley Health Network, Allentown, Pa.: "MDM is making a mobile device secure yet accessible for business or enterprise use."
John McConnell: enterprise architect, Fletcher Allen Health Care, Burlington, Vt.: "MDM is a way of allowing people to use their own mobile device to access company data and applications in a secure and reliable manner."
Joel Taylor: CIO, Preferred Health Partners, a large multi-specialty group practice in Brooklyn: "MDM is the way in which you secure and manage any devices connecting to your network from all kinds of threats." And those threats really are everywhere and constant, he adds. "In metro New York, the favorite thing for thugs to do on the subway is to swipe a smartphone out of your hand and take off."
There have been tablet computers available with varying degrees of adoption for more than a decade. And personal digital assistants surely had more than 15 minutes of fame. But the mobile market we now know is very young, says Dabbiere at AirWatch. The smartphone market for the enterprise came of age in the fourth quarter of 2010 with the iPhone 4, he contends. Before that, there was no real comprehensive mobile device management outside of managing an organization's desktops and laptops. Palm types of devices weren't that manageable; you could enforce a password and wipe the device, but there was no remote management of access to e-mail, images and other data, or enterprise security enforcement for the device. Users configured their own devices.
How much has the MDM market expanded in two years? "We went from 100 to 5,000 customers and from 100 to 1,000 employees in two years," Dabbiere says. During that time, many hospitals and physician practices have been learning it is not possible to deny use of smart phones and iPad-types of tablets in their facilities. But many are falling behind in protecting their data, he adds. "I'll tell you, Pandora is out of the box. Whether you think you can mandate no use of mobile devices, people are using them."
The Apple iOS and Android operating systems have been dominant in mobile computing, but the recently released Windows Phone 8 is ready for prime time. MDM vendors in late 2012 started introducing applicable security tools, Rege says. "What that means is there's a new platform for folks to look at." MobileIron, with 3,800 clients, recently held a Web seminar with Microsoft on Windows Phone 8 and got 2,500 attendees, so there is plenty of interest in the new version, he adds. But while MDM vendors gear up to fully support Microsoft mobile devices, they still have to continue support for a famous legacy device now in financial trouble-Blackberry-and be prepared for large scale migrations if parent company Research in Motion does not survive or is sold, he notes.
Ownership of mobile devices being used in health care varies. Some organizations purchase the devices while others let clinicians, staff and administrators bring in their own. At Lehigh Valley Health Network, departments buy their own iPads, but the information technology professionals handle device configuration and training on how to responsibly use the devices in the facility.