Skip to late 2010, just a little more than two years ago, when mature smartphones and early iPads and other small tablet devices really started to explode in popularity and functionality. As the mobile market grew, the devices quickly became status symbols, particularly in the physician community, says Ojas Rege, vice president of strategy at mobile security vendor MobileIron, Mountain View, Calif. Health care organizations had a variety of devices coming into their facilities. Security risks ensued. It wasn't clear how they could control data access and security on the devices.
The health care industry is far more open than other industries, with far more "free agents," since physicians often have privileges at multiple hospitals. Consequently, a physician may have a smartphone accessing apps and data from more than one hospital and also have personal data on the device.
Further, physicians may want certain functionality. They may buy an app that offers the functionality or contract with a local developer to build it-and not tell the hospital. Having security built into apps is critical to health care organizations, but not to developers. For instance, it wasn't until quite recently that native encryption came with Android devices. Another consideration: When developers are writing an app for an iPhone or iPad, there is an API, or application programming interface, for a second level of encryption. But if developers aren't told to use the second level, they won't, Rege contends. They are focused on the platform, not application security. Consequently, whether an app is bought from a local or national shop, a developer is a contractor. After the purchase, the developer has disappeared, leaving the unknown, potentially unsecure app in place at the hospital. As a result, policy and design rules on how apps are built and what organizational data should be in a device have become necessary.
These factors set the stage for mobile device management software. It gives organizations centralized control over what I.T. devices are coming onto their premises and what those devices can and cannot do. MDM started with basic tools-enforcing passwords and encryption, and wiping data from lost devices. It has evolved to a centralized management platform across an enterprise, Rege says. "The device, user and app will change, but it's all about the data."
Talk to five mobile data security professionals and you'll get five descriptions of what mobile device management is. Taken together, a well-rounded explanation of how MDM works emerges:
Rege: "Mobile device management configures the device and apps, protects the data, separates professional and personal data, and at the end of a session removes the professional data."
Alan Dabbiere, chairman of mobile device security firm AirWatch: "Think of what functions the Blackberry management console has, and combine it with what remote desktop management does for imaging, application setup and confirmation management. That's what we're doing."
Jim Shellhamer: technical systems analyst, Lehigh Valley Health Network, Allentown, Pa.: "MDM is making a mobile device secure yet accessible for business or enterprise use."
John McConnell: enterprise architect, Fletcher Allen Health Care, Burlington, Vt.: "MDM is a way of allowing people to use their own mobile device to access company data and applications in a secure and reliable manner."
Joel Taylor: CIO, Preferred Health Partners, a large multi-specialty group practice in Brooklyn: "MDM is the way in which you secure and manage any devices connecting to your network from all kinds of threats." And those threats really are everywhere and constant, he adds. "In metro New York, the favorite thing for thugs to do on the subway is to swipe a smartphone out of your hand and take off."
There have been tablet computers available with varying degrees of adoption for more than a decade. And personal digital assistants surely had more than 15 minutes of fame. But the mobile market we now know is very young, says Dabbiere at AirWatch. The smartphone market for the enterprise came of age in the fourth quarter of 2010 with the iPhone 4, he contends. Before that, there was no real comprehensive mobile device management outside of managing an organization's desktops and laptops. Palm types of devices weren't that manageable; you could enforce a password and wipe the device, but there was no remote management of access to e-mail, images and other data, or enterprise security enforcement for the device. Users configured their own devices.
How much has the MDM market expanded in two years? "We went from 100 to 5,000 customers and from 100 to 1,000 employees in two years," Dabbiere says. During that time, many hospitals and physician practices have been learning it is not possible to deny use of smart phones and iPad-types of tablets in their facilities. But many are falling behind in protecting their data, he adds. "I'll tell you, Pandora is out of the box. Whether you think you can mandate no use of mobile devices, people are using them."
The Apple iOS and Android operating systems have been dominant in mobile computing, but the recently released Windows Phone 8 is ready for prime time. MDM vendors in late 2012 started introducing applicable security tools, Rege says. "What that means is there's a new platform for folks to look at." MobileIron, with 3,800 clients, recently held a Web seminar with Microsoft on Windows Phone 8 and got 2,500 attendees, so there is plenty of interest in the new version, he adds. But while MDM vendors gear up to fully support Microsoft mobile devices, they still have to continue support for a famous legacy device now in financial trouble-Blackberry-and be prepared for large scale migrations if parent company Research in Motion does not survive or is sold, he notes.
Ownership of mobile devices being used in health care varies. Some organizations purchase the devices while others let clinicians, staff and administrators bring in their own. At Lehigh Valley Health Network, departments buy their own iPads, but the information technology professionals handle device configuration and training on how to responsibly use the devices in the facility.
Lehigh Valley is an AirWatch client. Its suite of MDM software can be hosted over the cloud by the vendor or on-premises by the user. The delivery system hosts its MDM on the simple premise that it didn't want any chance of patient data going from its network into the cloud, technical system analyst Jim Shellhamer says. That shows just how security-conscious some hospitals have become.
Prior to adopting a suite of products from AirWatch, Lehigh Valley had cobbled together an MDM strategy using iPad configuration utilities. There were limits. Once the devices were in user hands, there was no way to know what other apps were running on them, and whether the devices were developing security issues.
MDM systems enable a consistent, policy-driven and enterprise configuration of mobile devices being used in an enterprise, Shellhamer explains. The software enables many features, he adds. An organization can restrict e-mailing photos or notes, or video. Passwords can be remotely and centrally reset. Device locations can be tracked via GPS. Certain apps such as a network scanner can be blacklisted from a device. All user-installed apps on a device can be identified. Devices can be remotely wiped if lost or stolen. Cameras also can be disabled to prevent the accidental taking of a photo of a patient because a user inadvertently pressed the camera button. Having central management and protocols "give me a huge window into managing our mobile device suite and securing it," he says.
The MDM system at Lehigh Valley Health Network was implemented in late August 2011 as a pilot site, a process that only took about four hours, according to Shellhamer. And very quickly came the first lesson of what happens when an organization opens itself to mobile device use.
The pilot started with 50 users and grew to 300 in less than four months, with the health network supplying the devices. By November 2012, more than 800 iPads were in circulation "and that number continues to grow every day," Shellhamer says. "I can't count the number of times I have told people the genie is out of the bottle. For functionality and price, the devices are too good to pass up. Once people saw the first iPads, everyone wanted one." For example, iPads that the hospital makes available for kids in the emergency departments, and especially in chemotherapy, have been a godsend because they keep the kids interested in something besides needles. "Now, they start playing and get annoyed when the nurse gets in the way and blocks their game." Lehigh Valley in 2013 expects to start bolting iPads to inpatient beds to use as patient education and entertainment devices.
Shellhamer also expects a major new function in 2013 as his vendor introduces a "secure content locker." The technology would enable encryption of data or images being transmitted to a device, then wiping of the content from the device after viewing but making the content available for subsequent reviewing in the locker.
Grow with the vendor
Group practice Preferred Health Partners in Brooklyn learned its early lessons about mobile device management software along with its vendor, which was entering the health care market. The practice began with a pilot program in August 2012 and soon became a beta site for its vendor.
The vendor had a lot to learn and Preferred Health has gone through some trying times, acknowledges CIO Joel Taylor, who declines to identify the company. The way the MDM product sorted e-mail was confusing and tweaks were needed to make the process more like the way a smartphone already handles e-mail. And initially, the MDM apps would crash, synchronization was slow and certain Android devices with lower memories were not fully supported.
But there is a positive flip side to being an MDM beta site, Taylor says. He better understands app development life cycles and has input into what gets developed, and gets fixes and upgrades first. It is important, he notes, to have a pool of beta users that includes physicians, nurses, administrators, staff members, and representatives of virtually every unit of the organization because there are legitimate mobile needs throughout the enterprise.
Being a beta site also means getting some functions that other MDM vendors may not offer. Preferred Health's MDM package includes signaling apps that register with the vendor and the practice's networks each time a mobile device is turned on. Any device that doesn't say "Hi" within a 24-hour period has its corporate information automatically wiped off. It's an easy process for the help desk to reactivate a user's corporate account, and the auto-wipe safeguard hasn't been triggered often because mobile users usually don't go a day without turning on their device, Taylor says.
Fletcher Allen Health Care in Burlington, Vt., has taken a phased approach to mobile device management as use of devices grows. It started with iPhone users who wanted to synch their e-mail and calendar to the device, but had to agree to turn on the device's encryption function, use a password and permit remote wiping of the device if necessary, says John McConnell, enterprise architect.
Android devices did not have native encryption until the past year, and those users were further required to download the Touchdown bolt-on encryption app from the Android store. To date, smartphones, primarily iPhones, have dominated the mobile device use at Fletcher Allen, but tablet use now is growing and McConnell intends in 2013 to purchase secure messaging software and require its use on all mobile devices. He's also looking at software that prevents installation of certain apps, such as Angry Birds, but hasn't yet seen a business need for it, as mobile users have been responsible users.
The delivery system hasn't yet had to wipe data from a device, but uses software to remotely lock the screen and not permit access to data if a device is temporarily missing. McConnell admits he had to lock his own iPad after leaving it behind in a restaurant.
Fletcher Allen uses native ActiveSync MDM tools in its Microsoft Exchange Server 2010 servers, as well as the Haiku iPhone and Canto iPad mobile accessibility apps from Epic Systems Corp., its electronic health records vendor. Expanded mobile use, however, has been hampered by limitations in Epic's ability to support mobile computing, McConnell notes. "The challenge for us is to give access in a matter usable on a small touch-screen device and the software has to catch up." Using the EHR on an iPad has been possible but inefficient, as the device is great for looking up data, but not for documentation. Some users do document, using PocketCloud software from Dell Inc. The software creates a virtual keyboard and mouse on a tablet, along with a virtual desktop, but it's a "little clunky," he adds. McConnell expects Epic's next version of the EHR to have much more mobile functionality including touch screen features.
Still, the benefits of mobile computing already have become clear with significant workflow improvement for physicians and nurses, McConnell says. Clinicians are back to using a form factor similar to the clipboard they used before thin clients and PCs were put in exam rooms in 2009.
An iPad essentially is an electronic clipboard with information much easier to find. And mobile users can respond quicker to e-mails. As always though, there is a downside, as e-mail availability does increase interruptions.
The payer view
Some health insurers also are finding the need to develop mobile device management policies. Capital BlueCross in Harrisburg, Pa., "kind of backed into it" about five years ago, recalls Andy Hardy, technology specialist.
Telecommunications firm Verizon resells the Good Technology MDM products and sent 10 free licenses to the Blues plan, which was seeing some personal digital assistants with phone capabilities coming into the enterprise. But the licenses went on a shelf until the first iPhones came out a couple of years later, when some licenses were upgraded and put on a few phones to see how MDM technology worked.
Used to enable employees to access corporate e-mail on their smartphones, the MDM software now has been licensed for about 110 personal mobile devices and 10 corporate devices for unit managers and higher executives, Hardy says.
The software encrypts e-mail in transit and at rest, and can wipe corporate data off a missing device while leaving personal data on it. The corporate users have expanded and role-based read-only access beyond e-mail use. They can access the internal wireless network and additional corporate servers.
MDM users share their lessons
Organizations using mobile device management technologies have learned lessons along the way. Here are a few:
* A core lesson is that there is never a static version of MDM software. Vendors are constantly upgrading functionalities and performance on at least a weekly basis to keep up with provider needs-such as supporting radiologists and home health nurses-and ever-increasing security threats, says Jim Shellhamer: technical systems analyst, Lehigh Valley Health Network, Allentown, Pa. Home care nurses, for instance, no longer carry a three-pound laptop, but a 12-ounce iPad. They can easily show patients their data, and data is encrypted when cellular transmitted or at rest. "The technology is only going to get more prevalent in our lives," Shellhamer adds. "MDM vendors will have to work day and night to keep up."
* It's important to understand just how fast the MDM market changes on a continuous basis, says Alan Dabbiere, chair of vendor AirWatch. "Most people don't realize there is a new version of an operating system coming out every 15 days." And every new version has functionality designed for consumers and not an enterprise. There is no way that health care organizations have the personnel or expertise to track all these versions and figure out how to make them compatible in an enterprise MDM environment. MDM vendors which make tracking and adapting to the changes their problem are the ones to consider, he advises.
* Mobile device management, by its nature, restricts use certain functions on mobile devices, and providers must be prepared for the restrictions. Shellhamer suggests focusing on positive aspects of MDM, such as having mobile access to necessary patient information, while making sure users clearly understand they won't be able to email notes, take photos or put games on the devices. A lesson quickly learned was that facility engineers need an exemption from some restrictions. They need capability to take and transmit photos so that a problem is better understood and a list of materials and an appropriate repair team can be quickly assembled.
* The big lesson for Fletcher Allen Health Care was that supporting mobile devices turned out to be a larger challenge than anticipated, says enterprise architect John McConnell. He has a good I.T. team, but they've spent most of their time working in a Windows PC environment and had a learning curve to master with mobile devices. He suggests getting I.T. staff their own mobile devices earlier in the planning stages, giving them more time to learn the quirks of the technology and how to support the devices.
* Cost was the lasting lesson of mobile device management for Capital BlueCross in Harrisburg, Pa. The insurer is pleased with its MDM services from Good Technology, but licenses cost $140 per device. Buying 120 licenses has brought some sticker shock, says Andy Hardy, technology specialist.