EXECUTIVE SUMMARY:
Not only are hospital, health system, and medical group CIOs and clinical informaticists deploying handheld mobile devices across their enterprises as clinical computing tools; clinicians, especially physicians, are increasingly bringing their own BlackBerrys, iPhones, iPads, Android devices, and other handhelds, into patient care organizations for their personal clinical use. Not surprisingly, the challenges-as well as the opportunities-are multilayered and complex, and include the strategic planning, infrastructure, clinician preference, clinician workflow, and security issues involved in the emerging mobile handheld revolution.
The diversity of approaches among CIOs and other healthcare IT leaders on such issues is striking, and underscores the need for flexibility and nimbleness going forward.
Denis Baker, vice president and CIO of the 805-bed Sarasota (Fla.) Memorial Hospital, believes strongly in the future of handheld mobile computing. Last year, he agreed to let his hospital be the alpha site for the testing and refinement of the concept that became the Voalté One product from the Sarasota-based Voalté. The product, which has been live on two of 12 patient care floors and in all of the hospital's critical care units since last July, has been deployed on iPhones and enthusiastically adopted by nurses, who send and receive secure, encrypted text messages and receive critical care alerts throughout the day. [For examples of how hospitals around the nation are deploying handheld devices, see sidebar on p.12.]
iPad Invasion
Will Apple's new device be a “game-changer” for physicians?
One of the most intriguing questions of the day is this: Will Apple's new iPad find a special niche use in healthcare? It's a question that is strongly dividing physicians and other clinicians. Some physicians were among the first to rush out to buy the iPad the moment it came out this spring, and many of them are thrilled with its form factor and functionality. Others are a bit more skeptical about its potential as a “game-changer” for clinical computing. There does seem, however, to be a broad consensus that the iPad is yet one more device that is adding to the appeal of clinical computing for a group of healthcare professionals who were once more likely than not to resist the Information Age. Thanks to newer devices that are making computing more user-friendly, even fun, these same healthcare professionals are becoming more and more engaged.
Some CMIOs in particular are enraptured with their iPads. “I love it!” exclaims William F. Bria, M.D., CMIO for the Tampa-based Shriners Hospitals for Children. “I was afraid it would be a big iPhone,” says Bria, who is also president of the Association of Medical Directors of Information Systems (AMDIS), “but it's not. The larger display size, combined with the engineering of the weight and feel-what's happened is that they've broken through to a usability experience. And the extra screen size and touch interface together really change the game.”
Joe Bormel, M.D., chief medical officer and vice president at the Reston, Va.-based QuadraMed, agrees. The iPad, Bormel says, is significant because it is moving medical minds forward towards a full-fledged embrace of clinical computing, as no other device has yet done. “We've gone from ‘Over my dead body will I touch technology,’ to this,” he enthuses.
Adds Bormel: because physicians are rushing out to buy iPads, if CIOs can configure system security correctly (at the server level), “there's not that issue of beating up the vendor to get support for it.” As a result, he says, physicians will pay their own way to bring such devices into the patient care setting, bringing advantages both in terms of physician preference and in terms of economics, as long as the security can be worked out.
Lyle Berkowitz, M.D., medical director, clinical information systems at Northwestern Memorial Physicians Group in Chicago, takes a slightly more cautious view. “Will the iPad create a more efficient or effective environment?” Berkowitz asks. “Like most technologies, it has the potential to do so; and I think we'll see both success and failures. I think the successes will mostly relate to the easy, quick access to an application in an environment that requires mobility, such as inpatient floors, the emergency department, and home care, as compared to the more stable setting of an outpatient office.”
What is clear is that the appealing form factor of the iPad is engaging more physicians more enthusiastically than have many other types of computing devices in the past. And, given the hyper-competitive nature of the general mobile device market, it's virtually certain that competitors to Apple will move forward with potential rivals to the iPad, so, as with all the other devices being tested and deployed in healthcare right now, the phrase “stay tuned” seems to apply rather well in this instance.
“The huge amount of text messages flying back and forth has been noteworthy,” Baker says. “We got a report from Voalté last week that our 100 phones are generating 15,000 messages a week.” Indeed, given that “the average age of our nurses is 46 or 47,” Baker admits to some surprise at the level of enthusiasm of his nursing staff for this new technology on handheld mobile devices.
On the other hand, he notes, secure, encrypted texting is a great way for nurses to communicate short, routine messages to each other, because it is less interruptive of their patient care workflow than phone-calling, and it works very well.
A THOUSAND FLOWERS BLOOMING-IN DIFFERENT GARDENS
Given the dizzying range of variables and considerations involved, it's no wonder that IT leaders at different patient care organizations are approaching the whole area of handheld mobile devices in strikingly diverse ways. For example:
The multi-hospital University of Pennsylvania Health System (Penn Medicine), Philadelphia: Vice President and CIO Michael Restuccia and Associate CIO and Chief Technology Officer Brian Wells have hewed to a middle-of-the-road approach. They are allowing clinicians to bring in their own BlackBerrys and iPhones, but are requiring that the IS department be able to configure individuals' devices to remotely shut them down if they are lost or stolen. In addition, they are disallowing any kind of saving of data to the devices themselves, as well as demanding that any approved device be a self-locking mechanism. At present, Penn supports BlackBerrys and iPhones, and is testing out iPads. It is waiting for the next generation of Android devices (with enterprise capabilities) to come out in order to authorize anything Android-related.
Emory Health System, Atlanta: Technical Analyst Jason Stanaland is helping clinicians replace pagers with BlackBerrys and iPhones, using a pager replacement communications solution from the Eden Prairie, Minn.-based AmCom.
Community Care Physicians, Latham, N.Y.: At this 200-provider, 35-site multispecialty group organization, Chief Technology Officer Sumeet Murarka and Chief Medical Officer Barbara Morris, M.D., have facilitated the use of the Chicago-based Allscripts' core electronic medical record (EMR) on the iPhone for their physicians. In fact, Morris was the first U.S. physician to work within the Allscripts iPhone EMR app when it came out last summer. Their policy continues to be to distribute security-configured iPhones and other handheld mobile devices to physicians, rather than encouraging physicians to bring in their own individual devices. Murarka and Morris are also testing the iPad for potential suitability.
The 485-bed UPMC Mercy Hospital, Pittsburgh: At one of the 20 hospitals that make up the University of Pittsburgh Medical Center health system, CIO Bruce Haviland, working with Bill Fera, M.D., a UPMC physician informaticist, has deployed fully secured BlackBerry Curves for nurses on patient floors. Using a system of drop-down menus, nurses are successfully sending brief, time-sensitive yet routine “quick-text” messages to one another. The program, launched several months ago, has been very effective and very well received by the nurses, Haviland says. The hospital is allowing individual physicians to bring whatever handheld mobile device they wish into the hospital. However, those devices are restricted to the general, unsecured Wi-Fi access that any individual, including guests, would have, and are carefully kept out of any potential contact with the hospital's Citrix server. Meanwhile, as at countless hospitals nationwide, Fera and other clinical informaticists are testing out the potential of the iPad for physician use; but Fera and Haviland don't see a large organizational role for iPads at this point in time.
Oregon Health and Science University, Portland: Chief Health Information Officer Thomas Yackel, M.D., helped his organization become one of the first two in the country (the other being the Swedish Healthcare System in Seattle) to deploy the Verona, Wis.-based Epic Healthcare Systems' Haiku (EMR for mobile devices) on the iPhone. Yackel reports that physicians are not only looking up results via Haiku on their iPhones, they are also doing some secure messaging within the application. In addition, the physicians are taking steps towards some limited clinical documentation, such as reviewing and co-signing residents' notes.
Swedish Healthcare System, Seattle: CIO Janice Newell and CMIO Thomas Wood, M.D., have made their four-hospital system one of two hospital organizations in the country to deploy Haiku on the iPhone. About 500 iPhones have been distributed to physicians, Newell reports, while numerous other doctors are bringing their own in and obtaining approval to import Haiku onto their devices. Newell says security protocols built into the system, include system configuration to disconnect the device from Epic within five minutes and password protection. Given such provisions, Newell says, she feels confident in the security of the situation.
Kaweah Delta Health Care District in Visalia, Calif.: Dave Gravender, vice president and CIO and Roger Haley, M.D., medical director of information systems, have embraced the “bring-your-own-device” philosophy, based on strategic, infrastructure, and economic concerns. In terms of the economics, Kaweah is an integrated health system with one 529-bed inpatient facility. It is partly publicly funded and partly private, with relatively limited IT resources. Strategically and in terms of infrastructure, Gravender explains that they rely on the Citrix Receiver solution in order to ensure the security of all the devices physicians bring into the hospital. That solution enforces PIN entry, automatically wipes any device clean after 10 unsuccessful PIN entries, and prevents any data storage on the device. And rather than focusing on device-specific EMR applications from vendors, Gravender believes that the optimal approach is to optimize server access and encourage physicians to bring in their own devices.
Alegent Health, Omaha: At this eight-hospital system, Chief Clinical Information Officer Susan Lorkovic, R.N., and her colleagues are treading cautiously, even as their organization has had a long history of working with early versions of handheld mobile devices. While testing out the iPad for possible activation, they have provided respiratory therapists and laboratory phlebotomists with Motorola Symbol pocket PCs for charting (respiratory therapists) and positive patient identification for blood tests (phlebotomists). And they are allowing physicians and other clinicians to bring their own devices into the organization and allowing them to access the Wi-Fi network.
The Voalté/iPhone rollout will continue until it is enterprise-wide at Sarasota Memorial, Baker says. Of course, what he and his colleagues are rolling out at their hospital is only one of an astonishingly wide range of initiatives taking place nationwide around handheld mobile devices. Indeed, not only are hospital organizations and medical groups deploying handheld mobile technology (iPhones, BlackBerrys, and now iPads and even Androids) for clinicians; many clinicians are bringing their own devices into patient care organizations. This is forcing CIOs and clinical informatics to move very quickly to respond to clinician demands and preferences. In other words, the revolution of handheld mobile computing is already upon us.
PRESSING QUESTIONS ON STRATEGY, SECURITY
Nationwide, the landscape around handheld mobile device policy and process is extremely diverse, with CIOs and clinical informaticists at patient care organizations taking wildly different approaches to the proposition (sidebar, p.12). Among the key questions clinical IT leaders are trying to answer for their organizations:
Should the organization purchase and deploy handheld mobile devices? Allow clinicians to bring in their own? Do both? Neither?
How does the potential use of handheld mobile devices intersect with whatever existing clinical information systems, and messaging, paging, and other communication systems the organization has? What about server configurations?
Even more broadly, what do the organization and its clinicians want to accomplish? If the ultimate goal is to allow physicians and nurses to do extensive clinical documentation on a computing device; that's one thing. But in most cases, the handheld mobile devices are being used for far more limited, time-sensitive purposes, such as messaging, checking e-mails, looking up tests and other results, and in many cases, inputting limited clinical information, such as vital signs.
Anticipating the future is a particularly tricky proposition. The devices themselves keep changing as new ones keep coming onto the market. At the same time clinical IT vendors are beginning to push out applications meant to run on specific devices. For example, Apple's iPad, still a technological infant in the broader scheme of things, already has dozens of apps developed for it.
Meanwhile, because clinicians, particularly physicians, are beginning to bring their own devices into hospitals and clinics, the “normal” historical process of clinical IT strategic planning is being turned upside down. As a result, clinical IT leaders are being forced to react to that phenomenon long before they might otherwise move ahead with IT deployments.
Above all, data security concerns loom large in this “Wild West” computing landscape. Organizations' responses to the security risks are as varied as are their overall approaches in this area; but all those interviewed for this article agree that security will remain a preeminent concern for the foreseeable future.
There are countless variations on the approaches individual hospitals, medical groups, and health systems are using in order to address the handheld mobile device phenomenon (see sidebar, pp. 12-13). And, as everyone interviewed for this story agrees, no one has found an ideal “silver bullet” approach that will strike the perfect balance among clinician preference, data security, operational effectiveness, and budgetary concerns.
MANAGING MULTIPLE ‘MUSTS’
Indeed, CIOs are finding that managing all those competing considerations at once in a rapidly evolving technology environment is proving to be a gargantuan challenge.
Doing so means making careful calculations, and often adjusting those calculations as experience and situations demand. But pleasing clinician end-users while ensuring data and system security are inevitably opposite end-of-the-spectrum tension points in this puzzle, and thoughtful CIOs understand that. “As a user, you want ‘instant-on’-you want to take a device out of your pocket, turn it on, and start doing things,” says Sue Schade, vice president and CIO of Brigham and Women's Hospital in Boston. “So the security elements-password, log-in time, and so on-are all very important things; they can't be cumbersome or slow.”
On the other hand, says Schade, data security has risen to the very top of her list of concerns, partly because of the enhanced data security requirements created by the passage of the federal American Reinvestment and Recovery Act/Health Information Technology for Economic and Clinical Health (ARRA-HITECH) Act, and partly because of the explosion in handheld mobile device usage.
One good lesson learned here, as we went through the process of enforcing our protocols on the automatic lockout on mobile devices, is that any enforcement, as logical as you think it might be, is going to be met with resistance.-Michael Restuccia
So while Schade says she totally empathizes with clinicians' usability needs, she has to carefully balance those out with critical security needs for her organization. In her case, she and her colleagues have been piloting the use of certain clinical applications on BlackBerry devices, while also investigating possibilities around the iPad.
But what about widespread concerns over the Apple iPhone OS underlying the iPad? Could infection take place, despite precautions being taken? “I do think it's a real concern,” Schade says. “We're evaluating whether to bring the iPad in, and certify it in some formal way. Anytime you have a personal device that we don't manage, you have to have your policies in place regarding anti-virus software running on that device before you can let it into your network,” she cautions. “But I think the days of us as CIOs controlling who uses what devices, are kind of gone. So I see us as partners moving more in the direction of trying to figure out how we still protect our network and assets, while allowing some of that flexibility.”
Schade is far from alone in her concerns over data security in this rapidly evolving environment. A recent survey of healthcare IT executives found that 47 percent of those surveyed believe that their own personal health information is less secure than it was 12 months ago.
“That result,” says Elizabeth Ireland, vice president of strategy for nCircle, the San Francisco-based data security firm that conducted the survey, “shows the tension between the drive to create greater efficiencies in electronic medical records, and the complications involved in keeping that information secure. And when security professionals express those concerns, they're acknowledging that there are some difficulties involved.”
One very basic problem, says Mac McMillan, CEO of the Austin, Texas-based firm CynergisTek, and the current chair of the Privacy and Security Steering Committee of the Chicago-based Health Information and Management Systems Society (HIMSS), is that healthcare IT leaders “are attacking this from the wrong direction. Everybody is attacking security from a point-solution perspective, in other words, focusing on the device instead of focusing on the data.” And, says McMillan, “If you are literally relying on some control over every device that comes along, you'll never stop chasing that rabbit.”
Instead, McMillan urges, CIOs and their colleagues need to “limit their risk by limiting where clinical information lives and where it moves. If I configure the system to disallow users from moving data around, I've limited the amount of exposure related to mobile devices. And that's where things like DLP [data loss prevention software] come in.” With that type of technology he says, he “can start looking at what any particular user should be allowed to do and where they're allowed to use it.”
“With any new technology comes the need for experience in the use of new technologies,” says Brad Johnson, a vice president at SystemExperts, a Sudbury, Mass.-based consulting firm specializing in security and compiance issues in all industries. “And implementing such technologies requires helping the end-users to understand the security risk. And a lot of that has to do with process and policy.”
All CIOs and their clinical teams in hospitals, health systems, and medical groups will be challenged to balance out the needs and desires of hardworking clinicians, and the opportunities to improve care delivery, with the inevitable data security concerns.
As everyone works through this early phase of handheld mobile adoption, Penn Medicine's Vice President and CIO Michael Restuccia says, “One good lesson learned here, as we went through the process of enforcing our protocols on the automatic lockout on mobile devices, is that any enforcement, as logical as you think it might be, is going to be met with resistance. So you really need to have thick skin, to have really good executive support, and to educate; and I think you have to stick to your guns, because the downside of not protecting data is far worse than the bullets and arrows that are going to be shot at you.”
Healthcare Informatics 2010 August;27(8):8-14
