The Accenture Consumer Survey on Patient Engagement explores whether doctors are delivering on the growing patient demand for access to EHRs and other electronic capabilities.
According to the info below, more than half of global users would switch to a doctor using EHRs with Brazil, France, Singapore and Spain registering well more than 50 percent of all patients willing to switch. In the US, the number of switchers hoovers at around 41 percent.
I’m a cynic and I’m snarky. They are character traits earned from my days as a reporter at the newspaper. Constantly being pitched the greatest new thing meant to change the world when rarely these things lived up to their promise made me this way.
The latest offering from the Office of the National Coordinator for Health Information Technology (ONC), the site is being billed as a place for public input to update the Federal Health IT Strategic Plan.
According to the site, the plan outlines goals and strategies for the nationwide shift to electronic health records and information exchange, and for creation and spread of new health information technologies. “On this site, you can learn about these issues and be part of the public discussion that will shape the new plan. Whether you’re a patient, consumer, provider, insurer or IT developer, you should have a voice in this process.”
The rest of the site focuses on a variety of topics in discussion board fashion (think late ‘90s comment-based webpage) where consumers, the general public and anyone else with an opinion of any kind can respond to the seeded ONC topic.
Some of the topics include:
Current Efforts: Empowering consumer action
Current Efforts: Shifting attitudes
Supporting “shared decision-making” through health IT
Supporting “personalized healthcare”
The list goes on, with a few sparse comments to support the topics addressed, and some questions and responses.
The rest of the site features some meager announcements and a bit more info about PlanningRoom.org.
I’ve been a supporter of many of HealthIt.gov’s work and have featured it multiple times on this site for the availability of their information and the organization’s outreach to the public and the HIT community, but PlanningRoom.org is a limp attempt at a public information movement.
I’ve got to hand it to ONC for trying to engage the public in an information and educational campaign, but this effort wreaks of propaganda. For the most part, the comments are thin and generic and the “conversation” here seems someone staged.
This sure seems to resemble the acts of a start up site looking to generate page views and buzz. Certainly, there are people interacting with the site, but it comes off as fluff; a bit too polished if you will.
Call it the cynic in me, but at present, this effort just isn’t enough to make me think it’s going to drive any real change. Perhaps as it grows and evolves it will be worth a lot more, but in its current, state, not so much.
David Finn, health information technology officer for Symantec, discusses healthcare technology security, HIPAA and meaningful use and the most pervasive security issues health IT faces in the months and years ahead.
What issues do healthcare leaders face from a security perspective?
Well, that is part of the problem right there. Healthcare leaders are inundated with new requirements and market changes. So, there is Meaningful Use, ICD-10, ACO, HIE, new privacy and security requirements – – all in a relatively short time frame – – to name a few. On top of that, you are likely doing that with decreasing reimbursement, a difficult labor market and limited capital budgets. Security, while mandated, frequently falls to the bottom of the list because it doesn’t directly impact care or add to the bottom line. That is a short-sighted view of security. Security needs to be strategic to the business of healthcare, not just IT.
Why? What can they do about this?
Much of this has been driven by HITECH and the Affordable Care Act. So, there are regulatory components and that, in turn, has driven many changes in the healthcare market. Providers now have to do a lot of these things just to keep their heads above water – – not to mention the statutory requirements. The most important thing is to get started … you may not be able to do everything all at once. You do have to understand what needs to get done and then prioritize those things for your organization and get started.
How are HIPAA changes affecting care, coordination, tech implementation and the ability of physicians to do their jobs?
HIPAA has been around a long time and, frankly, if the industry had dealt with these things effectively starting back in 2003, which was the compliance date for the Privacy Rule and then 2005 when the Security Rule became the law, we’d be in much better shape today. Unfortunately, the incentives and drivers were not aligned to make that happen. Don’t get me wrong, a lot of things got started and don’t forget technology is very different than it was 10 years ago – – mobility, virtualization, cloud. We also have a much larger installed-base of EHRs across the entire continuum of care. So, now we have tools that really can aid the physicians and other clinicians in getting things done faster, wherever they are, at their convenience, but we’ve lagged in a lot of the security issues around those new technology tools. And, unfortunately, often systems are put in without proper attention to workflow or process improvement. Organizations that hurried to get some of these things in are now going back to “fix” them.
How is/will meaningful use impact healthcare? Are there security issues?
While the debate is still raging, few would argue that better access to information for providers and patients is a good thing. Meaningful use – capturing and using the right clinical data – over time, will improve the quality of care and outcomes and should reduce costs. It will not happen overnight. Yes, when you have confidential, legally protected information, you have security issues.
How has the push toward EHRs changed the security of healthcare? In what ways?
As healthcare has digitized, it has increasingly become a target for the “bad guys.” We not only keep names, addresses and dates of birth all together to make it easier to care for and bill patients, we also include social security numbers, credit cards and insurance accounts. And every time you share that information (between providers, with an HIE, a drugstore, registries, schools and more) you create another potential point for that data to go astray or someone to maliciously take the information. In the “paper days” a doctor might take home a dozen charts to review; today a jump drive can contain hundreds of thousands of patient records. When all the charts could be locked in a room at night at least you knew where most of them were and they were safe. Information now lives on networks – – in databases, in Word documents, spreadsheets. It can get cut and pasted from an EHR screen into an email and sent anywhere. While many of the issues are the same, the scope and scale of the problem is sometimes hard to imagine. It was horrible for those dozen patients if the doctor’s car was broken into and charts taken, but when you have breaches of hundreds of thousands or even millions of patient records, it can be very difficult to manage and address. And this doesn’t even begin to address the cost issue around a data breach.
In relation to security, what are some of the most pervasive issues physicians face? What are they more surprised by?
Well, mobility is here to stay and yet most organizations don’t even have policies around mobile devices. Social media is a growing concern, whether you are a large healthcare system or a single-physician practice. The underlying problem is not knowing where that patient data is. Nearly everyone is surprised when you start to show them how that information comes into your organization or practice, where it goes and who uses it and how it may leave the organization. There are tools to help you find, manage and track the data, but most people are still focused on the EMR, the PCs that clinicians use. The issue is the data and the problem is the data is everywhere.
What are some of the most overlooked security protocols?
First, is encryption. If you are focused on the data, the best thing to do is encrypt it. That said, encryption is not a panacea and just encrypting everything is not a good answer. Things like laptops, tablets, smart phones, backup tapes, jump drives – – those really need to be encrypted. The other thing is understanding your data and there are tools, like Data Loss Prevention tools, that help you find the data;who created it, how it is being used and so on. If you don’t understand the data, you can’t really protect it appropriately.
Is the health IT market overly paranoid when it comes to security and breeches?
Based on the number of records breached since 2009 — 20+ million — I’d say the IT market needs to do something. Being paranoid about breaches is one thing, actually managing your data and mitigating potential breaches is another. It is time for the industry to take the issues of privacy and security seriously, assess the problem, develop a plan, get the money and start fixing it. Healthcare has to realize this isn’t a technology issue – – this is an enterprise issue and it starts with your people.
How will health IT security change in the months or year ahead? What trends can we expect? What’s irrelevant? What’s not?
I think you will see privacy and security being addressed as part of a system implementation or a process improvement initiative instead of something you try to do after the fact. If you do it afterwards, the security is never is good and always costs more. You’ll see more training and policies that address mobility, social media. I think as enforcement picks up and fines increase, healthcare will recognize that this not just a technology problem. I think you’ll see a lot more training and awareness around privacy and security. More investment in tools that monitor data and in that sense are monitoring workforce behavior around patient data – – regardless if it is on email, the EHR, web sites – – it is still the patient’s data. You’ll also see more focus on identities and authentication, it is likely coming in future regulations, but the other part of protecting the data is making sure only the right people get it.
Here is what is irrelevant: 1) Policies that are not enforced or cannot be enforced; 2) Enforcing policy and procedure inconsistently; 3) Thinking this is an IT or security problem when it is an enterprise wide, cultural issue.
Anything else you’d like to mention that I haven’t asked?
First, I think now that we have all these EHRs up and running and are collecting all this data digitally, the industry is just figuring out how to use it to drive improvement. So, big data, analytics, informatics – whatever you want to call it – will be a huge driver. Big data comes with some unique security and data management issues.
The next tidal wave in health information technology that we are not doing a good job addressing, yet, is the medical devices. These are often patient-touching devices ranging from anesthesia machines to smart-pumps, which may deliver controlled substances or chemotherapy to pacemakers. More care is being driven to the home and remote home-care is a growing area. Yet, these devices tend to run old operating systems, can’t take the newer protective software, yet they are on hospital networks, connect to the Internet and are unmanaged in terms of information technology. Many of them store and transmit patient data and the issue just isn’t getting the focus it needs.
David Finn, CISA, CISM, CRISC is the Health Information Technology Officer for Symantec. Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States. He also served as the Privacy and Security Officer for Texas Children’s. Prior to that Finn spent seven years as a healthcare consultant with IMG/Healthlink and PwC. Serving last as the EVP of Operations for Healthlink.
Texas Children’s Hospital won the ECRI Institute 2007 Health Devices Achievement Award, and because of Finn’s departmental support, TCH also was awarded recognition for Employee Support of the Guard and Reserve. Finn also received the Symantec Visionary Award in 2008 for Security. He has presented nationally and internationally on such topics as project management, professional leadership and staff development, and privacy and security. He has contributed to or written articles on IT Management, Disaster Recovery and Security for such as journals as CIO Digest and Baseline.
Skype and unbridled communication between caregivers and their patients has opened a great many opportunities for care to be offered the world round, from a variety of locations within our own communities to remote and unconventional places in other areas of the world.
In a nutshell, Dr. DeShan spends several months in Russia each year leading an international medical mission where he serves some of Moscow’s most needy, as well as delivers care to some of the world’s remote people through journeys into the wilderness.
When he’s in Moscow serving patients, she’s able to stay connected to his practice in Midland Texas, where he’s a partner at a thriving OBGYN. Aside from relinquishing a few of his daily duties, such as delivering, he’s able to maintain a full patient load and he does that in part using the web and tools like Skype to maintain contact with them and with his practice.
Personally, I believe the work DeShan is doing is fascinating. He’s using his talent and skill to follow his passion and his calling in life. His practice and his patients are in support of his work and in no way does he keep it from them. Those patients that were not comfortable with interacting with him part time through the web were assigned to other practitioners.
However, I’ve always wondered if Skype is a tool that can be trusted for such work. Despite his good deeds, I always wondered he’s in HIPAA compliance.
According to a recent article in Medical Office Today, I’m not the only one. According to the article, “Notwithstanding the fact that Skype is ubiquitous, its use may be inappropriate for healthcare providers as web-based platforms raise a number of significant HIPAA privacy and security issues:
Many platforms are proprietary, meaning that healthcare providers have no way to determine if and what information is stored
Users cannot reliably develop and verify an audit trail
There is no reliable way to verify transmission security
Users have no way to know when a breach of information occurs
There is a lack of integrity controls to ensure that electronic protected health information is not altered
Also, according to the piece, HIPAA and its resulting regulations pertaining to privacy and security require covered entities such as healthcare providers to protect the confidentiality of protected health information and guard against unauthorized access, use, and disclosure of such information.
Among other things, the HIPAA rules require:
Access controls
Audit controls
Person or entity authentication
Transmission security
Business Associate access controls
Risk analysis
Workstation security
Device and media controls
Security management process
Breach notification
“The use of web-based platforms, especially those that are proprietary, makes it difficult for healthcare entities to meet many of their HIPAA obligations,” the article states. “As a consequence, telehealth providers carry a higher risk of potentially violating HIPAA rules when they use services such as Skype.
According to the Health Information and Trust Alliance, the organization recommends against the use of Skype and similar platforms for communications involving health information, concluding that web-based platforms are not secure, and are an inappropriate way by which to communicate with patients, especially when the communication involves health information. Their view was confirmed late last year when a security flaw was discovered in Skype that put users’ personal information at risk of disclosure.
“All of this does not mean a healthcare professional should not use Skype to communicate to patients, only that they be aware of the increased risk of violating HIPAA and think long and hard prior to using such technology.”
However, should a provider insist on using Skype, there are some steps they should consider to better protect themselves from potential HIPAA liability (all good tips, according to the magazine):
Have patients sign HIPAA authorization and a separate informed consent as part of intake procedures when using web-based platforms
Develop specific procedures and protocols regarding use of Skype, similar platforms
Train workforce on the use of these platforms
Exclude the use of these platforms for vulnerable populations
Limit to certain clinical uses (i.e., only intake or follow up)
Use secure platforms with audit trail, breach notification, other capabilities.
Only HIPAA-compliant technologies can truly protect a physician and a patient. These steps may help. In the long run, though, as I’m sure Dr. DeShan would agree, don’t let the cost of the work keep you from doing it.
A new report suggests that the average physician lost just as much as would have been gained had he or she received the full meaningful use incentive payment for the last five years — $44,000 – by implementing an electronic health record, which basically makes the whole thing null and void.
There’s a caveat, though. The practice that has implemented and is using the EHR, needs to make a few changes to the way the practice runs or else the saving is lost. Somewhat of a no brainer, according to study that’s published in Health Affairs, only 27 percent of practices achieved a positive five-year return on investment by implementing the electronic systems.
The trouble, according to the survey, is that practices “failed to make operational changes to realize the benefits of EHRs such as doing away with paper records after implementation of the electronic systems, adoption, as well as dictation, billing services and positions or staff members who were performing services no longer required after EHR adoption.
A reduction in the required workforce at the practice after the implementation of an EHR is a common problem. I’ve spoken with several practice leaders who cited it as such, and in many cases, staff whose positions were eliminated because of the software have been re-assigned to other areas. There are only a few practices in which I’ve spoken where employees were laid off because of the systems. I expect this number to grow as more systems come online.
According to MedPage Today, which published the results of the study, the study sought “pre- and post-adoption financial cost/benefit data from practices such as total revenue, total operating costs and total labor costs. Researchers also asked for information on areas that were impacted by EHRs, such as the cost of paper medical records, dictation services, and billing services.”
Their results of the study showed that the average physician lost $43,743 over five years. Primary care practices fared better than specialists. Practices that saw a positive return on EHR investment increased revenue by more than $114,000 per physician over five years, results showed. In comparison, practices with a negative return on EHR investment saw revenue increase by an average of only $9,200 per physician in five years.
“Even when adding federal incentives to use EHRs, the majority of doctors would have lost money,” MedPage Today reports.
Other results from the study include:
38 percent of practices with six or more physicians achieved a positive return on investment, compared with 26 percent of practices with one or two physicians
55 percent of practices reported a reduction in the cost of paper medical records after EHR adoption
22 percent of practices reported the most common ongoing cost was additional hours of practice time
10 percent of practices noted improved efficiency, allowing them to see more patients each day
18 percent increased revenue through improved billing
This is a bit surprising: Practices with a practice management system prior to EHR implementation in place to help with billing functions benefited less on average.
Seems like some of the unexpected consequences of EHR use are finally working their way to the top and a bit of the actuality of the situation is coming out; just because a system is implemented, doesn’t mean everything is going to be great. “Wide usage of EHRs was supposed to help doctors increase revenue through improved billing and efficiency gains that would allow them to see more patients per day. However, doctors have complained that EHRs are cumbersome and cause physicians to spend more time documenting patient visits,” the magazine states.
A straightforward piece of news from TEKsystems Healthcare Services, a provider of workforce planning, human capital management and IT services to the healthcare industry, showing the following results a joint survey with HIMSS Analytics regarding health organizations’ readiness pertaining to the implementation of electronic health record (EHR) systems.
According to TEKsystems, the survey shows insights into the status of EHR implementations, the challenges healthcare organizations face and areas of improvement; TEKsystems and HIMSS Analytics surveyed 300 single and multi-hospital organizations and health professionals throughout the United States. Key findings include:
Current State of EHR Implementations
Nearly 39 percent of hospitals have surpassed Stage 4 of the HIMSS Analytics Electronic Medical Record Adoption Model (EMRAM).
Currently less than half (43 percent) of integrated delivery systems or single hospital systems have completed their EHR implementation.
Achieving end user adoption
Nearly two-thirds of healthcare professionals (64 percent) believe achieving adoption is a roadblock to a successful EHR implementation.
“Achieving meaningful use and truly improving the quality of patient care can only happen if end users fully adopt a new EHR system in an acceptable timeframe. Organizations expect their people to adapt quickly, yet many do not plan for end user training until late in the effort,” says , TEKsystems vice president of healthcare services. “Upfront training strategy development would allow for the identification of key competencies and performance indicators. As organizations transition from implementation to day-to-day operations, any deficiencies in the ability to meet the targets can be pinpointed to either a specific user group, department or globally as indicated by analytics and aligning remediation accordingly. Developing an effective adoption strategy is a critical step that needs to be detailed earlier in the process and carried throughout the life of the initiative. That includes finding the appropriate resources necessary for building, integrating and conducting the training.”
Bringing in the right people and skills
Sixty-six percent of respondents cite the challenge of finding the right workers with the right skills for the implementation. More than half struggle with finding the right people to build a training program (57 percent) or lead the classroom discussions (53 percent).
“The supply of HIT talent is not keeping pace with the demand – from clinical trainers, builders and consultants to project and program managers. Finding the necessary resources can be a daunting task for many organizations, but one that is essential to achieving a successful EHR implementation,” continues Kriete. “That includes finding the right principal trainers and scaling to meet the overall training and adoption needs.
Conducting an impactful training experience for the end users
According to more than three-quarters of healthcare professionals, results of poor EHR training implementation include: rework (85 percent), lack of applicability to real-world scenarios (84 percent), low levels of user adoption (84 percent), long learning curves (82%) and inability to leverage the system for meaningful use (77 percent).
“The importance of effective training cannot be overlooked. To avoid these outcomes, organizations must proactively build a customized training program that is led by educators with clinical and technical EHR experience. The training cannot simply be ‘off-the-shelf.’ It should align with the overall organizational goals, workflows, technical requirements and end-user job roles” states Kriete. “One method for ensuring a training program is effective and builds confidence within an organization is to engage end users, those using the system on a day-to-day basis, in the development of the curriculum.”
“In addition to leveraging end users in this process, efforts should be taken to combine synchronous and asynchronous learning methods to foster a learning environment that meets the needs of the adult learner and their hectic schedules and a learning environment that is not bound by space or time” says Von Baker, TEKsystems healthcare practice director.
Including end users in the process
Overall, less than half of clinical end-user stakeholders are deemed completely engaged in the program; even the trainers for the new system are not fully engaged, with only 59 percent reporting their trainers are completely engaged in the process.
“This study shows the majority of executives and decision makers are engaged in the implementation process, but unfortunately, this is not the case with end users. Giving end users the opportunity to provide feedback during the development of and during the training boosts their sense of ownership and increases their confidence in the system post-implementation,” comments Baker.
Continuing to support end users after go-live
More than 50 percent of healthcare organizations anticipate end users will need more than six months to adapt to the new system.
“The work does not stop once the implementation is complete. Providing post go-live support is critical to ensure the end users fully adopt the system. Best practice is to create performance support tools for end users to have ready access to how-to reference guides when the needs arise – self service. The right blend of performance support tools depends on the organizations culture, internal drivers (i.e. varied workflows, varied specialties, and geographically dispersed facilities), and available technology. Underestimating the amount and degree of post go-live support can cause a decrease in productivity and performance and increase end-user frustration,” concludes Baker.
About TEKsystems Healthcare Services
TEKsystems Healthcare Services is dedicated to providing workforce planning, human capital management and IT services to the healthcare industry. Utilizing its suite of services, including EHR Implementation Support, ICD-10 Support and Data Services for BI, Reporting and Data Warehousing, they help healthcare organizations accomplish critical initiatives related to meaningful use, compliance, analytics, network transformation and revenue cycle management.
Guest post by Steven Jackson, chief operating officer, ExperiaHealth.
Every patient story is unique with engaging plots, complicated characters, emotional twists and turns, but more often than not there is a recurring theme. Somewhere in the healthcare narrative there are gaps in communication. In fact, according to the Joint Commission, an estimated 80 percent of medical errors are caused by breakdowns in communication.
Whether the disconnect is between internal and external care teams, a patient and a nurse, or in my case, a family member and a physician, any missed or misunderstood care directives can leave the patient and the health system vulnerable.
I was certainly feeling vulnerable when I arrived home after taking my son to the doctor and met my wife immediately at the door asking, “What did the doctor say?” As I recollected the physician visit and details of my dialogue with the doctor, I quickly realized I wouldn’t have all the answers she wanted to hear. I remembered most of the instructions, which I paraphrased quite succinctly. However, my wife, who is a very caring mother with a fondness for details, wanted to know exactly what the doctor said.
A similar story was told by a colleague. He described how his father was discharged from a local hospital after suffering a heart attack. At discharge, while tired and stressed from being in the hospital, his father and mother were given 30 minutes of clinical, complex information detailing his post-hospital care and medication needs. Later, when the couple tried recalling the discharge instructions to relay to my colleague, they each remembered the directives very differently – a misunderstanding that put his father at risk for an adverse event.
The CDC reports that nine out 10 adults who receive medical advice find it incomprehensible and do not know what to do to take care of themselves – creating a revolving door for institutions.
Stats and stories like these, as well as looming penalties for performance, are driving the development of innovative healthcare applications and patient portals that improve patient and family engagement, understanding and compliance of discharge instructions and other care directives. These same technologies are also improving patient safety and satisfaction, ultimately driving HCAHPS scores up and avoidable re-admissions down.
Cullman Regional Medical Center in Alabama recently reported a 63 percent increase in HCAPHS scores for questions related to discharge communication and a 15 percent reduction in re-admissions after re-engineering its discharge process using the Good to Go solution by ExperiaHealth. Good to Go blends multimedia technology with healthcare best practices to engage caregivers, patients and families in the care plan during and after a hospital stay.
During hospital discharge, Cullman Regional caregivers use smart devices and the HIPAA/HITECH compliant Good to Go application running on the deviceto capture “live” care instructions at the patient’s bedside. After the discharge session, the nurse asks the patient to listen to the captured communication, and a dialog between the caregiver and patient occurs to clarify any confusion. This conversation is also captured by the application, adapting discharge instructions in the patient’s own words and breaking down health literacy barriers. The recorded audio instructions are then made available 24/7 for the patient, family or a subsequent caregiver to listen to and review from any landline phone, mobile device or computer using unique login credentials.
In addition to audio instructions, caregivers use the solution to attach instructional videos, images and documents and post those educational resources on the patient’s personal Good to Go website to improve compliance and reduce risks. For example, if a patient has congestive heart failure, a caregiver can use the solutionto capture images of baseline swelling in the patient’s leg to help him or her monitor and manage their condition. Follow-up appointments and medication lists can also be managed in one location via the patient’s personalized Good to Go website.
With access to live care instructions and multimedia education, a couple can leave the hospital feeling secure about the discharge plan, and a father can be confident replying to an inquiry by his wife after their son’s physician visit. Hospital caregivers can also feel better because they can use the solution’s monitoring tool tracks if and when patients access their instructions, allowing Cullman Regional to gauge compliance and identify potential risks for bounce backs. This valuable information also plays a vital role in performance analytics and patient follow-up call management available via the Good to Go solution, which helps unify quality, safety and satisfaction initiatives.
By taking advantage of technology already in use and at the fingertips of caregivers, patients and families, hospitals like Cullman Regional are creating impressive last impressions and extending care beyond the hospital walls. And while technology cannot replace human interaction, it can certainly help enhance the exchange and create market differentiation as well as lasting loyalty – especially for those patients whose journeys were safer because there were no communication gaps along the way.
Healthcare stories with seamless transitions are the ones with the best endings.
Like it or not, BYOD (bring your own device) is a topic that’s not going away. Some consider it a fad, a conversation piece and a topic passé. But, the same was said of the personal computer, the Internet and now, mobile devices in the workplace.
I’ve spent a lot of time recently focused on the work of Gartner, and today is no different. The analyst firm produces some great content and provide some great thought leadership advice and BYOD is no different. Healthcare leaders would do themselves a favor to take note of the following tips from the firm (specifically, Stephen Kleynhans, in this case).
Organizations today must address their BYOD challenges. They are everywhere, in every organization. Users continually and ever more so utilize their own devices, and the trend continues to grow. Doing so, so the argument goes, is that employees’ own devices boost productivity. It’s an argument that’s been said over and over thousands of times.
According to Gartner, users and organizations need to understand BYOD issues and challenges including “security risks from data leakage; financial risks from device cost or support/network contracts; and, compromised compliance/certifications from using sensitive services (location services, GPS etc.). Here is what Gartner feels are the key issues in BYOD adoption in this context.”
Simply put, as we’ve previously discussed here, BYOD is said to help employees perform their roles more efficiently, which is particularly the case for home health professionals and those on call. Additionally, BYOD is supposed to limit tech budgets for organizations, and in large health enterprises this makes a great deal of sense. Essentially, the burden for technology and upgrading it lies on the employee. When they want a new device, they purchase and upgrade it. Obviously, this takes a great deal of pressure off of an organization that might otherwise be forced to upgrade and purchase the technology on an ongoing basis.
“Well framed, comprehensive BYOD policies addressing these issues and challenges can help shift cost to the users and reduce support burden on IT for non-strategic devices,” said Gartner’s Kleynhans.
Additionally, he states that BYOD in in its current form is “largely a ‘don’t ask/don’t tell affair’” where users do what they can, because they can, and devices belonging to senior executives have probably already been made in your organization.
“Prior to instituting formal BYOD, issues related to regulatory, security and compliance need to be reviewed, and an employee’s personal liability and the company’s obligation to its investors or customers may not always be linked. Consider that the loss of user-owned devices carrying sensitive data might lead to serious trust deficits that might be difficult to recover from. If you lack adequate MDM and data protection controls, instituting a BYOD program might backfire,” states Gartner.
Mobile access to company resources should only be granted incrementally based on the users role and needs within the organization, and assigning differing levels of authentication to programs, device fingerprints, location and so on.
“BYOD issues around administering diverse environments will require segmented, policy-controlled architectures, where application delivery focuses on isolating company data rather than targeting complete device control,” said Kleynhans about a concept also known as containerization.
Wherever control of a device or data is not possible, encrypt. “Approaches such as Web apps, virtualized apps and hosted virtual desktops may be used on the server side, complemented on the client side by secure access clients, sandboxes, thin clients and trusted computing devices/dongles.”
Launching BYOD is challenging, and requires a thorough due diligence. Gartner sums it up beautifully: “Extend existing policies wherever possible and ensure that the full range of interested parties such as IT, business, HR and legal are involved to cover all contingencies and legal requirements. Further, your policies need to define clearly what can and cannot be done with employee-owned devices; the level of enterprise network access; privacy restrictions; exceptions; penalties; and, most importantly, liabilities.”
Accenture released the following infographic that illustrates the key findings of its recent survey (also featured in a recent post: Patient Willing to Switch Doctors for Access to Electronic Health Records) that suggests that most consumers want access to EHRs, but don’t have it.
