Time to Address BYOD is Running Out

For years my colleagues and I carried a phone for personal use and another for work. I have fond memories of the “Batman utility belt” and how during the ‘90s the number of devices you had attached to your belt signaled your status in life. The more devices you carried, the more important your inflated self-perception. Thank goodness those days are now history as devices are smarter and provide a broad range of functionality and capability.   

Consumers along with physicians and nurses now use devices for both personal and professional purposes. Clinicians are bringing their own mobile devices (BYODs) in droves to work to communicate with each other about patients, exchange data and access medical apps.

With such fast-paced changes in the mobile medical world, the BYOD movement has raised serious privacy, security and liability risks for providers. The risks have grown even more acute since President Obama in July signed into law a bill allowing the U.S. Food and Drug Administration (FDA) to regulate mobile medical apps.

What types of mobile apps will be regulated won’t be known until the end of the year when the FDA is expected to issue guidelines. However, the agency signaled its intentions to the healthcare industry and mobile app developers when Jeffrey Shure, M.D., J.D., the director of the FDA’s Center for Devices and Radiological Health, told a National Public Radio reporter, “There are apps today that change a mobile platform into an EKG machine. When it’s being used to diagnose patients, it’s a medical device we believe subject to FDA oversight.”

Given that the FDA has indicated for any app that turns a mobile device – iOS, Android, BlackBerry, Windows – into a diagnostic medical device, every hospital and health system must address BYOD, and the sooner the better. Unless proactive provider leadership renders guidance, employees will continue to bring in devices and to use them however they see fit.  

For this very reason it is imperative that providers develop a BYOD policy as part of an overall enterprise mobile strategy. As a first step, providers must ask the following: How should the devices be used? How can mobility assist workflow, access to information, employee satisfaction and internal communications? Understanding what gaps must be filled is a prerequisite to what types of apps should be used and the business cases supporting them. Researching the answers will help in identifying the allowable and banned apps and determining whether the device will be leveraged as an extension of the provider’s EMR tool; for example, an EMR extended app is allowable when physicians are downloading an EKG or monitoring a patient’s contractions and vital signs from home or other remote location. There also must be an established method for authorizing new apps since app development is only going to increase.  

The second step and one tightly integrated to the first, is to select the types of devices or platforms that IT will support. Many providers take the approach to support several different platforms – Android, iOS, BlackBerry, Windows; but, regardless of platform, the same governance policy must apply. Given the speed of adoption, other platforms should equally be part of the approval process.   

After organizations determine the platform and software to be supported, they can decide the right security framework to monitor, audit and secure the content to be viewed, archived and sent to and from mobile devices, as well as the ability to remotely wipe the device if lost.  

The bottom line is that providers have to develop a mobile strategy because there are thousands of medical apps accessible to clinicians. Many of those are already being used in practice without the consideration of security, compliance or governance of any type. Hospitals and health systems must align mobility with HIPAA, HITECH and FDA compliance efforts to protect patient data, themselves and their physicians. This is not only a smart and prudent risk management and business decision but one that will help insulate a provider’s bottom line in more ways than one.