Lehigh Valley is an AirWatch client. Its suite of MDM software can be hosted over the cloud by the vendor or on-premises by the user. The delivery system hosts its MDM on the simple premise that it didn't want any chance of patient data going from its network into the cloud, technical system analyst Jim Shellhamer says. That shows just how security-conscious some hospitals have become.
Prior to adopting a suite of products from AirWatch, Lehigh Valley had cobbled together an MDM strategy using iPad configuration utilities. There were limits. Once the devices were in user hands, there was no way to know what other apps were running on them, and whether the devices were developing security issues.
MDM systems enable a consistent, policy-driven and enterprise configuration of mobile devices being used in an enterprise, Shellhamer explains. The software enables many features, he adds. An organization can restrict e-mailing photos or notes, or video. Passwords can be remotely and centrally reset. Device locations can be tracked via GPS. Certain apps such as a network scanner can be blacklisted from a device. All user-installed apps on a device can be identified. Devices can be remotely wiped if lost or stolen. Cameras also can be disabled to prevent the accidental taking of a photo of a patient because a user inadvertently pressed the camera button. Having central management and protocols "give me a huge window into managing our mobile device suite and securing it," he says.
The MDM system at Lehigh Valley Health Network was implemented in late August 2011 as a pilot site, a process that only took about four hours, according to Shellhamer. And very quickly came the first lesson of what happens when an organization opens itself to mobile device use.
The pilot started with 50 users and grew to 300 in less than four months, with the health network supplying the devices. By November 2012, more than 800 iPads were in circulation "and that number continues to grow every day," Shellhamer says. "I can't count the number of times I have told people the genie is out of the bottle. For functionality and price, the devices are too good to pass up. Once people saw the first iPads, everyone wanted one." For example, iPads that the hospital makes available for kids in the emergency departments, and especially in chemotherapy, have been a godsend because they keep the kids interested in something besides needles. "Now, they start playing and get annoyed when the nurse gets in the way and blocks their game." Lehigh Valley in 2013 expects to start bolting iPads to inpatient beds to use as patient education and entertainment devices.
Shellhamer also expects a major new function in 2013 as his vendor introduces a "secure content locker." The technology would enable encryption of data or images being transmitted to a device, then wiping of the content from the device after viewing but making the content available for subsequent reviewing in the locker.
Grow with the vendor
Group practice Preferred Health Partners in Brooklyn learned its early lessons about mobile device management software along with its vendor, which was entering the health care market. The practice began with a pilot program in August 2012 and soon became a beta site for its vendor.
The vendor had a lot to learn and Preferred Health has gone through some trying times, acknowledges CIO Joel Taylor, who declines to identify the company. The way the MDM product sorted e-mail was confusing and tweaks were needed to make the process more like the way a smartphone already handles e-mail. And initially, the MDM apps would crash, synchronization was slow and certain Android devices with lower memories were not fully supported.
But there is a positive flip side to being an MDM beta site, Taylor says. He better understands app development life cycles and has input into what gets developed, and gets fixes and upgrades first. It is important, he notes, to have a pool of beta users that includes physicians, nurses, administrators, staff members, and representatives of virtually every unit of the organization because there are legitimate mobile needs throughout the enterprise.
Being a beta site also means getting some functions that other MDM vendors may not offer. Preferred Health's MDM package includes signaling apps that register with the vendor and the practice's networks each time a mobile device is turned on. Any device that doesn't say "Hi" within a 24-hour period has its corporate information automatically wiped off. It's an easy process for the help desk to reactivate a user's corporate account, and the auto-wipe safeguard hasn't been triggered often because mobile users usually don't go a day without turning on their device, Taylor says.
Fletcher Allen Health Care in Burlington, Vt., has taken a phased approach to mobile device management as use of devices grows. It started with iPhone users who wanted to synch their e-mail and calendar to the device, but had to agree to turn on the device's encryption function, use a password and permit remote wiping of the device if necessary, says John McConnell, enterprise architect.
Android devices did not have native encryption until the past year, and those users were further required to download the Touchdown bolt-on encryption app from the Android store. To date, smartphones, primarily iPhones, have dominated the mobile device use at Fletcher Allen, but tablet use now is growing and McConnell intends in 2013 to purchase secure messaging software and require its use on all mobile devices. He's also looking at software that prevents installation of certain apps, such as Angry Birds, but hasn't yet seen a business need for it, as mobile users have been responsible users.
The delivery system hasn't yet had to wipe data from a device, but uses software to remotely lock the screen and not permit access to data if a device is temporarily missing. McConnell admits he had to lock his own iPad after leaving it behind in a restaurant.