Giving BYOD a full health check
Companies in a variety of different sectors are benefiting from BYOD, but can healthcare follow suit? Andrew Jones investigates the pros and cons
Bring Your Own Device (BYOD) - literally using your own private IT device in the workplace - has become a business phenomenon as the popularity of mobile devices such as tablets and smartphones has rocketed. Inevitably the healthcare sector will be looking at BYOD as a possible answer to the need for lower spend and to raise productivity, but can it offer this panacea in an environment where rapid, secure communications and its reliability can be a matter of life and death?
The potential benefits of using BYOD build a strong case for its consideration. Users get to access the Internet and workplace services via their own, and most likely, favourite device, be it a smartphone, or a tablet. The potential for the organization to save on buying separate equipment for this task is undoubtedly an attractive one.
For some organizations this can be a highly successful route to IT provision, but whilst the freedom of using your own device offers distinct benefits it also brings a fresh set of issues and potential problems – and the most pressing of these for the health sector is the one of security.
When dealing with patient records, surgery administration or other sensitive information, security is an obvious concern. Like most secure IT systems, healthcare security is only as good as the end point, i.e. the equipment that the user relies upon for access, and this is where a basic BYOD strategy can start to show its flaws. Even if the organization’s servers are secure, it is much harder to ensure that the user’s own device matches this level of assurance – unfortunately presenting another set of IT challenges.
Administering a large number of BYOD users and offering fully secure access (across any number of different potential software and hardware platforms) is easily as resource-intensive, both in terms of the team and technology, if not more so, as running a more traditional fleet of in-house supplied and owned devices.
Justified fears over security do not necessarily rule out using technology in new ways to offer greater productivity with reduced costs though. It is an accepted fact that using well-targeted unified communications systems (those that work in tandem across different technology platforms such as telephones, pagers, email, IM etc.) can offer real-world time, and therefore cost saving benefits.
Voice over IP (VoIP), which allows voice calls to be shared across the IT network on different devices, has grown massively in popularity over the last few years and gives a greater degree of flexibility over the device that team members use. Unlike straightforward data files, voice calls generally present lower security and confidentiality risks (and are less likely to be stored remotely), and therefore no more of a problem than calling external or mobile phones – which has always been acceptable.
However even voice, if it is presented over a loud audio device, can fall foul of security – live audible data is as much a security breach as that stored on a service, when it contains sensitive material.
Fears over users taking away devices (and the data stored on them), when they move to another employer for example, are just as founded as anxiety over information being vulnerable to outside influences. Fears over the security of BYOD centre around the fact that users can (and have the right to) take their device away with them outside of their role. If the device is actually owned by the health organization there can be much more stringent controls over the security software and other applications that are installed.
Unauthorized software, such as spyware and viruses, updates and external links to software are all potential risks to security. The whereabouts of the devices and the functionality they have to operate outside the organization’s designated areas or sites requires very strict controls, if highly sensitive data is to be secure. For example, it is easy to install security software on mobile devices that can complete a remote wipe of all data in an emergency that either locks down or deletes any potential data on a stolen or lost device and makes the failure of recovery much less serious.
However this exposes the business to potential problems, such as the cost of replacement (for the latest devices) and a lack of continuity – as personal devices have little protection of sensitive data without inherent inconvenience and cost.
The audit trail
The other major concern for the health sector over using BYOD technology is one of liability. Hospital owned systems are rigorously maintained and updated to meet the highest levels of quality demanded for such an important sector, which deals with life and death situations. If members of staff use their own, unregulated devices as their primary method of communications there are potentially serious gaps in the audit trail.
A vital member of the operating staff, for instance, will rely upon receiving information quickly and accurately to react to emergencies. If the BYOD fails to do this (perhaps through poor signal or another unforeseen problem), where do the hospital and the individual professional stand with regards to liability?
Ultimately there are important beneficial ideas for the health sector to learn from the BYOD phenomenon, even if it is unlikely to be able to wholly embrace it. BYOD can show ways of working that are natural to workers, especially younger workers who are more likely to choose their own communications methods and tools, but maintaining ultimate control over the outcome is the key.
It is unlikely that an ‘off-the-shelf’ device will be acceptable for critical healthcare communications, although there may be a place for it with regards to roles of a noncritical nature. However, modern healthcare-focused communications systems can easily use the latest technologies if they are ‘kiosked’ so that they have had additional functionality removed. This controls data and prevents misuse but devices can still be furnished with all the data access tools required to benefit from their capability to retrieve and display data.
Efficiency and performance in the healthcare industry comes from dedicated staff using dedicated tools – the problem is one tool does not suit all. Allowing staff to use the right device for their needs, whether a smartphone or tablet, DECT phone or pager, all needs the careful control of a dedicated IT/telecoms
department, to provide the right access, privacy and security demanded in a highly critical and important environment.