Healthcare going mobile

July 31, 2017

The healthcare industry has been using mobile devices and communications for quite some time, and the list of improvements mobile technology has brought to the field is seemingly endless. Health Management Technology asked a roundtable of relevant solutions providers for their input on what makes organizations successful regarding mobile computing, security concerns, staff tips, the challenges, and emerging technologies that could potentially change the way healthcare is delivered.

Greg Jones, Vice President of Technology, MobileSmith

What is your current security protocol or suggestion regarding mobile devices?

Our protocol requires HTTPS/SSL for all communications to external data sources. We support and recommend OAuth 2.0 authentication to data that requires user authentication. OAuth allows our mobile Front-end-as-a-Service app the capability to securely access sensitive data while ensuring usernames and passwords are maintained per the customer’s security policies. This allows our platform to easily satisfy healthcare providers’ security and HIPAA compliance requirements.

How is mobile computing bettering the healthcare experience?

Mobile has had a transformative effect on healthcare for both patients and providers. The goal of providing accessible, personalized treatment now is possible in a way that was unimaginable just a few decades ago. Telehealth can connect any patient to any doctor or specialist regardless of geography, improving outcomes and expanding our understanding of various conditions and factors affecting recovery. Mobile applications allow patients to take a more active role in their care through education, trackers, wearables, and reminders, elevating the conversation with their care team and advancing progress with increased data and analytics.

While considerable progress has been made in the past decade, mobile-based patient experiences are poised to drive even more dramatic transformation of healthcare as interoperability, privacy, and security systems become more standardized.

What are the biggest challenges surrounding mobile computing in the HIT field?

There are many exciting challenges today for HIT. As the Baby Boomer generation embraces technology more and more, expectations of how mobile technology can help them also have grown. HIT has the primary challenge of ensuring secure and reliable services while meeting the increased demand for what mobile can provide. For example, some of the technical challenges related to patients connecting to different practices include providing each patient with a mobile multipractice view of their health records, secure communications of those records with their health team, and patient-specific automated health-related mobile notifications.

HIT now is a global scope challenge, and hospitals are becoming more international. This can force HIT solutions to start supporting international data protections that are different than U.S. data protection laws. One example of this is Google Play’s updated Developer Policy Center. This policy update adds additional requirements on data protection under the EU-U.S. and Swiss-U.S. Privacy Shield framework.

What advice do you have for training staff to be cognizant of the potential threats to security with mobile devices?

Mobile security should be included as part of your HIPPA training efforts for all staff. Include awareness of any updated policies relating to mobile devices and app usage while at work. Caution staff regarding use of public Wi-Fi on both personal and company-provided devices, man-in-the-middle attacks, and how HTTPS can help prevent misuse of data. Be sure to highlight and document key processes, like how to report if your phone, containing sensitive data, was lost or stolen.

Be aware of all the apps that might be on your phone and how your permissions are structured. Native mobile apps installed from Apple or Google will help ensure you are using apps that have been reviewed by a trusted third-party review team. Although these are good starting points, apps from unknown developers can contain tracking functionality that may create a security vulnerability—for instance, the bad guy can create a profile based on where key personnel are located during a specific time of day. An additional level of security is to utilize enterprise app distributions to help further reduce security risks.

Steve Baum, Vice President, Products, PatientSafe Solutions

What is your current security protocol or suggestion regarding mobile devices?

Security is both a technology and policy consideration and needs to be addressed proactively in the technology assessment process.

Clinicians expect mobile access to key clinical information anytime, anywhere for a comprehensive view of the care delivered to each patient. This opens a new level of security concerns when data is accessed outside the hospital’s secured network. In these situations, PatientSafe partners with our customers to clearly identify the need to externally access patient information based on the clinician’s workflow. If there is a strong need for external access, we help hospital IT stakeholders design access for specific types of clinical users. In addition to access safeguards, we also design device security. For example, no data can live on the physical device.

Care team directory.
Courtesy of PatientSafe Solutions

On the policy side, PatientSafe partners with hospitals to understand workflows and build appropriate security policies prior to technology adoption. For example, when a customer adopts our clinical communications platform, we institutionalize policies on the information that can and can’t be communicated via the mobile device. This becomes a layer of workflow security protection to avoid workarounds to standard workflow processes.

The biggest threat to security on a mobile device is loss of a device that has PHI stored on it. Choose applications that do not store PHI on the device or that have strong encryption protecting the device in combination with a mobile device management process that allows you to wipe the device should it be lost or stolen.

The PatientTouch platform adheres to the following security protocols, which we recommend for all mobile solutions:

  • Data is not stored on mobile devices.
  • TLS encryption for all client-to-server communication.
  • Use of expiring authentication tokens.
  • HIPAA-compliant notification banners and pop-ups, i.e., PHI is not included.
  • Application-level, time-based security screens to protect on-screen data.
  • Individual unique user ID and passwords.
  • Ensure the application can match real-world workflows so that risky practices like sharing. UN and PW workarounds just don’t happen.

How is mobile computing bettering the healthcare experience?

Healthcare enterprises are, by nature, highly dynamic, real-time interaction and connection-driven environments. Hundreds, if not thousands, of people in a constantly changing environment are attempting to work in concert to deliver safe and effective care. Mobile computing offers a transformative opportunity to deliver clinicians, ancillary staff, and patients real-time access to actionable data and clinical context, more effective closed-loop interactions, and reductions in workflow variation.

Rounding and assessments.
Courtesy of PatientSafe Solutions

For health systems, if a mobile workflow and collaboration platform can ingest data across the clinical, telephony, and device infrastructure while truly delighting the frontline user, the enterprise can un-tether its care teams from legacy workstations and the EMR-induced workflow fragmentation of the past. From there, care teams can easily create radical improvements in productivity and increased response times without feeling fatigued and dragged down by technology. IT staff streamlines maintenance and support management by consolidating multiple devices and applications into a single mobile platform via a dynamic interoperability layer that enables access to disparate infrastructures across disparate physical settings.

Mobile technologies also offer the opportunity to connect inpatient and outpatient settings on a much more dynamic and real-time basis, becoming a vehicle for truly unifying people and processes in an integrated plan of care across the care continuum—preadmission, the acute care setting, post-discharge, home, ambulatory, and long-term care facilities.

What are the biggest challenges surrounding mobile computing in the HIT field?

One of the biggest hurdles to overcome for mobile device enablement is wireless network configuration and management. Voice over IP on a mobile device over Wi-Fi is a highly specialized domain. Existing networks may not be designed for optimal coverage, which will negatively impact clinical communication reliability and voice quality. At PatientSafe, we provide end-to-end wireless network assessment and recommendations in partnership with Apple. For our Cisco clients, Fast lane is available to further optimize the network, prioritizing critical communications and delivering superior voice quality and reliability.

Investment and modifications may be required to support mission-critical applications.

The second major issue we work on with our clients is ensuring they have a mobile device management strategy, solution, and process in place. Decreasing hardware lifecycles puts the pressure on IT to upgrade devices more frequently. Coupled with the increasing pace of operating system updates and the ability of individual users to update operating systems on their own, keeping devices and operating systems aligned is an ongoing challenge.

What advice do you have for training staff to be cognizant of the potential threats to security with mobile devices?

We recommend initial training at rollout and ongoing training for staff to ensure they are adhering to the following best practices:

  • comply with your facility’s security policies;
  • don’t share your login ID or password;
  • keep possession of your device; and
  • mobile devices include nonsecure applications. Be aware which ones are secure and which are not, and don’t share PHI on the nonsecure apps.

However, we all know at the front line of care, clinicians will do what is most efficient to get their work done. We believe the majority of the security burden should be on the mobile application, not on the clinical end user. The less training, the less security information that care teams need to remember, the better. Mobile applications should make it easy for the end user to be in compliance by following these security protocols:

  • data is not stored on mobile devices;
  • TLS encryption for all client-to-server communication;
  • use of expiring authentication tokens;
  • HIPAA-compliant notification banners and pop-ups, i.e., PHI is not included;
  • application-level, time-based security screens to protect on-screen data;
  • individual unique user ID and passwords; and
  • the application matches real-world workflows so that risky practices like sharing UN and PW workarounds just don’t happen.

With the above protocols in place, there is no risk if a device is lost or stolen.

Brad Brooks, CEO, TigerText

How is mobile computing bettering the healthcare experience?

Mobile computing improves the healthcare experience much the same way it improves other areas of our lives: instant communication and information sharing where and when it is needed. Patients communicate this way in their personal and work lives and expect their providers’ communication to be just as efficient and in real time.

For example, one area where mobile is improving the patient experience is communicating critical lab results in the hospital. Patients spend needless minutes or hours waiting for a physician to review test results and consult them on next steps. Those delays are attributed to a tedious volley of pages, phone calls, and voicemail messages between nurses, the unit secretary, the lab, and the ordering physician. The result? Anxious, frustrated patients and distracted, burned-out providers. Not an ideal combination for improving the patient experience—or outcomes or costs. A comprehensive, integrated mobile communication platform is the answer.

One such organization that has made this transition from disconnected clinical communication to an integrated mobile platform is the 270-bed, nonprofit Kadlec Regional Medical Center in Tri-Cities, WA. The organization sought a mobile computing solution that would enable nurses, physicians, and lab technicians to instantly collaborate using secure, HIPAA-compliant one-to-one and group chats as well as share critical lab and test results.

Workflow changes also were necessary. For example, if a patient’s lab result was logged and noted as “critical” within the electronic health record (EHR), the nurse would receive a phone call, find contact information, and then call the relevant physician. This process could take hours.

By integrating the clinical communication platform with its Epic EHR, Kadlec Regional Medical Center now routes automated data from its EHR through its Infor Cloverleaf Integration Suite directly to the physician’s mobile device. Alerts appear the moment abnormal results are entered into the EHR and are easily shared with other specialists, even those outside of the hospital system.

A truly useful and effective mobile computing tool must streamline common workflow processes like these and enable instant and secure care-team communication and collaboration, regardless of their location. It should provide them with point-of-care access to a vast array of information, such as EHR data, laboratory information management systems, picture archiving and communication system, nurse call systems, scheduling, and answering services.

Most importantly, a mobile clinical communication platform should enable providers to spend more time with patients and less time trying to track each other down. The results are positive clinical outcomes, decreased costs, and an improved patient experience, all of which mean prosperity and longevity for the hospital.

Arun Mirchandani, Senior Vice President of Products, Vocera Communications

What is your current security protocol or suggestion regarding mobile devices?

If we’re talking strictly about encryption, AES 256, which is an encryption protocol commonly used for secure messaging, is recommended. It’s secure enough to send any kind of sensitive data or personal information through communication channels. But, it’s important to note this protocol works for more than messaging; AES 256 is a standard that works for long-term data storage as well. In fact, the protocol is approved by the Department of Defense (DoD) for the encrypted safe-keeping and sharing of classified information. For healthcare, it serves the purpose of providing substantial protection of health information and other sensitive data.

Moving beyond encryption, if we’re talking about web-based applications that run on a browser—including those used on mobile platforms—we use transport-level security or TLS socket-based communication. You’ve seen the “HTTPS” at the beginning of web addresses and, as I’m sure most of your tech-savvy readers know, that “S” stands for secure. TLS also is DoD-certified.

When providers and health systems are evaluating clinical communication and collaboration solutions, I recommend they aim high. Always work with a vendor that sets only the highest bar for security, especially as it pertains to mobile communication. At Vocera, we have DoD certification for our entire secure clinical voice communication system, including the Vocera Badge. We’re dedicated to AES 256 as a means for encryption because it’s the most secure, and we also are focused on remaining DoD-certified for all of the security technology we offer. Doing so ensures we’re genuinely keeping our customers’ data secure.

Getting DoD certification is not an easy process. Rigorous testing is required in a DoD-certified lab, and it can be an intensive process. Obtaining DoD certification is something that not everyone in the healthcare space is willing to do because, quite frankly, it can be challenging. However, if you stick with DoD certification, patients and providers will be left with a system that is unmatched in its security. There is no bar higher than the DoD.

Do you recommend that staff use their own devices or should devices be provided?

Personally, I am neutral on this particular question. In my opinion, security of mobile devices should be an overarching concern regardless of how the caregivers obtain the smartphones. What matters most are the policies in place to control the device while it’s being used for care coordination, clinical communications, and so forth. Mobile application management and mobile device management tools are an absolute must for healthcare, and these management tools need to be uniform for a BYOD policy to be effective, which means staff education has to be part of any good BYOD policy.

Collaboration Suite.
Courtesy of Vocera

The types of applications and access allowed depend upon the goals of a particular organization. However, offering a high level of control that enables the very specific management of what apps are allowed and what devices can connect to a network is a goal that transcends organizational boundaries. Savvy healthcare organizations want to ensure that only the right people—and the right devices—have access to a list of applications that are approved for use. That’s the box you want to operate in; and in this case, going outside that box isn’t a wise course of action. When you allow clinicians and employees to use apps that fall outside these parameters, that’s when you run into trouble—including the potential for a major data breach.

What are the biggest challenges surrounding mobile computing in the HIT field?

From speaking with health system CIOs, CNIOs, and CMIOs, common themes begin to emerge. While it’s true most see the potential of mobile computing to be nothing short of a blessing, the biggest challenge comes from managing the rapid change. Any time things are changing rapidly, inherent challenges emerge, and questions surrounding how to best react to change demand an answer. This can lead to frustration and fear, both of which can impede quick adoption.

My best advice to overcome this challenge is to take a step back and set some expectations. Look closely at what the user population is doing and genuinely look for ways that mobile technology can be implemented to make workflows and communication simpler. CIOs, CNIOs, and CMIOs need to constantly be getting feedback from their clinicians, and they should thoughtfully and methodically roll out mobile solutions that improve the lives of both care teams and patients without sacrificing HIPAA compliance, privacy, or security. This approach should start at the highest level and trickle down. That way, when mobile devices finally end up in the hands of all nurses and doctors, most of the concerns have been ironed out, and best practices have been established.

Most importantly, C-suite leaders need to own the adoption. Leadership needs to be willing to take responsibility for any bumps in the road that occur along the way. Really, this rule applies to the adoption of any emerging technology. Looking back at EHR adoption, the concerns were very much the same. People are resistant to change, but if the change is truly supported by clinicians and leadership that gets complete buy-in, eventually it will become a normal day-to-day part of reality. Mobile computing in healthcare still is in its infancy, but someday it will be the norm.

How are operating system challenges best dealt with?

For us at Vocera, it was a change going from a world where we had full control over everything—from software to hardware to the devices themselves—into a world of smartphones and tablets where control is more complex. It’s exciting, but the influx of consumer devices also presents challenges for health systems, not to mention vendors like Vocera. Why? Because the software and hardware of consumer devices are changing rapidly, and staying compatible while ensuring security requires constant research and education.

Keep in mind that the changes made to iOS or Android operating systems aren’t always positive. Updates can adversely affect the user experience or create new security vulnerabilities. To make matters worse, sometimes updates to an operating system can crash a device. While these improvements are necessary to advance mobile computing, they can bring challenges with them.

The way to combat all of this is for health systems and other organizations, as part of a BYOD policy, to discourage users from instantly upgrading the operating systems on their mobile devices until the compatibility of vendor apps is ensured and they are signaled to do so. Here is where it becomes advantageous to have in-house devices, because healthcare organizations will have more control over events such as updates.

If you’re dealing with a situation where users bring their own devices, it’s important to have policies in place that discourage automatic updates and the downloading of apps from GooglePlay or the Appstore. You never know when an improvement can bring a serious setback along with it. So, once again, education is the key to overcoming challenges surrounding mobile operating systems.

Sponsored Recommendations

2024's Healthcare Buyer Journey: New Research and Insights

Join us on April 30th for a webinar unveiling insights from the latest study on the Healthcare IT Buying Journey! Discover evolving challenges, effective health data management...

Improving care with AI-powered solutions

Don't miss our April 23rd webinar delving into the transformative impact of AI-powered solutions on healthcare. Join industry leaders Reid Conant and Dr. Patrick McGill as they...

Shield your health system against cyber threats

You won't want to miss out on this imperative April 4th webinar about how you can protect your healthcare organization. Join us to learn how to fortify your health system against...

Healthcare Trends 2024: Trends & Strategies for Future Success

Explore the future of healthcare in 2024 with insights from the Healthcare Industry Trends Report. Stay ahead of the curve as we delve into the latest industry developments and...