Whereas many healthcare organizations are still grappling with exactly how best to proceed with bring-your-own-device policies, Penn Medicine is in the final steps of completing one.
Associate CIO of Technology and Infrastructure John Donohue said Penn Medicine addressed the governance aspects upfront - a choice that has paid dividends already - and has benefitted from having the CEO’s support from early on.
mHealth News Executive Editor Tom Sullivan spoke with Donohue leading up to the mobile Privacy & Security Symposium, slated to take place on Sunday, Dec. 7, at the mHealth Summit outside Washington D.C.
Donohue will participate in two events: a panel discussion titled “BYOD and MDM: Reducing risk on the mobile perimeter,” and the Mobile Privacy and Security Genius Bar at day’s end.
He is one of more than 20 privacy and security experts from leading healthcare, academic and government organizations who will speak at the symposium. Speakers will share best practices, case studies and advice to help providers address BYOD, malware, medical device security and other prominent mobile privacy and security challenges and threats.
Q: For starters, where does Penn Medicine stand in terms of BYOD?
A: We are about 98 percent complete with a very broad, very comprehensive BYOD policy that I expect will be in place by the end of this calendar year. That policy will govern what type of devices we’ll support, what type of mobile health applications we’ll support, any information around stipends and reimbursement, appropriate use guidelines — so we feel very confident that we have a policy that will cover all the issues in a BYOD environment.
Q: So the natural next question: How long is that document?
A: Right now I think we’re literally at 24 or 25 pages. Some of that is attachments and exhibits around device standards, support standards. The bulk of the policy meat itself is probably around three or four pages. We’ve done a good job, I think, in defining different use cases and different categories of BYOD. I’ll give you an example: Some BYOD accounts will be limited to providing e-mail to corporate accounts for convenience. Other BYOD accounts will be accessing clinical information and allowing clinicians and physicians to practice via BYO devices. So with those we have the ability to manage different levels of security and privacy with an MDM solution that is “containerized,” for lack of a better word, and that allows us to virtualize devices between personal information and the corporate information also residing on that BYO device.
Q: Having gotten 98 percent of the way there, what’s the hardest part of BYOD from your perspective?
A: The hardest part for us has been around two things. One is the stipend or reimbursement model that gets built in. And two is what sort of HR action should take place if the policy isn’t followed. What kind of teeth are we going to have? And how will policy violations be handled? Those are things that have actually required the most vetting in our environment.
Q: And what kind of teeth do you have to enforce the BYOD policy?
A: It really falls into what I would categorize as appropriate use. We ask people to use Penn assets appropriately. Whether it's a phone with PHI or printed materials on someone’s desk, and we have a progressive discipline track so when things aren’t done properly we follow that. We’re pretty serious about making sure people use these devices appropriately and not putting anything PHI-related at any risk whatsoever. The fact that we must have MDM on every device makes us feel more secure. We will not make any exceptions.
Q: What advice would you give other CIOs, CTOs, CISOs embarking down the BYOD policy road?
A: One of the things I’d do again is we engaged with an IT consultancy and they really gave us some muscle. They talked to other academic medical institutions, so we were able to learn some lessons around what worked well in other places and what did not. I’ll give you an example: There were a couple organizations that went completely BYOD and then wound up backtracking after learning that they were taking on a significant amount of support responsibility for devices and plans. So even though we have thousands of devices, we have a very small footprint around that. If you took on 5,000 different carriers and phones, all of the sudden you’d need to have people who understand all those different devices, have a relationship with all the different carriers. So we learned that the folks who had been on the tip of the BYOD spear in many cases backed off and we realized it needs to be a hybrid approach where you supply a certain number of your own phones to senior executives, senior clinicians. So by talking to these folks we were able to avoid skinning our knees a little bit or having to backtrack.
We talked to another organization that actually forced a payroll deduction because people were using the phones they had provided for not only conducting business during the day but also maybe texting people, making calls, doing what we all do with our smartphones. The payroll deduction caused a huge backlash that took more than a year to recover from.
Q: Finally, here, what would you do differently?
A: Two things. One, I would have started six months earlier. It’s a long process and I probably would have given it broader distribution during the early days. The other thing is Big Brother. You put the MDM on somebody’s phone, whether it’s provisioned or a BYO device, and they automatically feel like you can see their pictures, monitor their text messages. There has been some concern among people that we have that capability. It’s a bit of a misperception because, frankly, we have no interest and don’t have the resources for looking at people’s pictures, but it’s an issue and requires awareness and education about the MDM tool and what it can and cannot do. We’re at 7,500 devices today, and if we grow to 15,000, I’ll need to do a better job of articulating our intent for MDM just to quell some of those fears, some of those misperceptions.
The mHealth Summit 2014 runs from Dec. 7-11 at the Gaylord National Resort and Convention Center just outside Washington, D.C. Register here.
This story originally appeared on Healthcare IT News sister site mHealth News.
