BYOD Policies: Why Healthcare Must Avoid Workarounds
Technology is transforming entire industries, including Healthcare. The shift from legacy Electronic Health Records to cloud-based EHR systems containing massive volumes of private patient information is one sweeping example of that change. Using big data analytics, healthcare providers can now leverage patient data on EHR systems for insights that can lead to improved standards of care and better outcomes.
To facilitate the availability and effective use of patient information, many healthcare institutions are now implementing Bring Your Own Device (BYOD) policies. These policies essentially allow employees access to private patient data from the EHR using their own personal mobile devices, such as smartphones and tablets.
While BYOD has real benefits in healthcare, specific processes and procedures must be implemented and enforced in order to prevent private patient data from being compromised. In addition, EHR systems must be easy to use. Otherwise caregivers may devise “workarounds” to circumvent safeguards, unintentionally compromising patient data privacy and security.
In a recent article on Healthcareitnews.com, Frank Irving, an expert on technology and business management for physicians, uses the successful 2013 rollout of a new EHR system and BYOD policy at Hahnemann University Hospital in Philadelphia to illustrate why healthcare must avoid “workarounds.”
In a nutshell, here are some of Irving’s more notable findings:
Data-access apps shouldn’t be in BYOD
According to Irving, the hospital had relied on a legacy EHR for fourteen years before implementing the “dual rollout” of a new system and BYOD. Irving claims that everything went smoothly partly because, “a virtual environment was established, with no data-access applications installed on the mobile devices.”
That’s an important distinction, according to Hahnemann internist and physician liaison Thompson Boyd MD, whom Irving quotes in the article. “There is no protected health information on any device,” Boyd explains, “You don’t download files, but you can get the electronic record as if you were on a desktop.”
BYOD clearly knows whereof he speaks. He was among the notable speakers and moderators at the mobile Privacy & Security Symposium at the mHealth Summit in December of 2014. Along with more than 20 other privacy and security experts from leading health organizations such as Intermountain Healthcare, Mayo Clinic, Kaiser Permanente, and Penn Medicine, Boyd shared best practices, case studies, and advice to help healthcare providers successfully address BYOD, malware, medical device security and other prominent mobile privacy and security challenges and threats.
Poor design encourages “workarounds”
According to Doctor Boyd, workarounds in general could be the result of poor system design. “If there is a reason for people to take a shortcut,” says Boyd, “it should be assessed during testing, when you really need to lock things down.” To illustrate his point, Boyd uses the example of an order for a chest X-ray, where an area on the digital order form—say a “reason box” where a doctor is required to type in the appropriate information—might be overlooked if the doctor is in a hurry. “It’s better to have a roll-down box where only those things that would be appropriate for a chest X-ray would appear,” says Boyd, “The physician simply picks the right one, and actually can’t pick the wrong one.”
All pertinent information must be found inside the EMR – For a BYOD implementation to work, all pertinent patient information on the electronic chart (EMR) must be found within. “You’re going to set yourself up for failure,” says Dr. Boyd, “if you have to click on something else outside of your EMR to get information from another source. People don’t like that; it’ll never fly. It’s got to be embedded in your record.”
EHR / BYOD system creation has a learning curve – When it comes to building systems that are in harmony with privacy and security policies, BYOD says, “…it’s an evolving process because mobile devices are relatively new and ever-changing.” In Hahnemann Hospital’s virtualized environment, BYOD explains that when a session stops no personal patient health information remains behind on a BYOD device, or another computer for that matter. This is important for a healthcare organization because, in the event that an employee’s personal device is lost or stolen, no private patient information will be compromised.
The benefits of technology in the healthcare industry are many and varied. As healthcare organizations adopt cloud-based EHR systems and implement BYOD policies to better serve their patients, taking note of how Hahnemann University Hospital did things the right way is a good first step to avoiding BYOD “workarounds” that could prove costly by compromising sensitive patient data.
