cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Considerations for Mobile Device Management in Healthcare IT

Level 10

In my last post regarding IT and healthcare policy, we talked about the somewhat unique expectation of "extreme availability" within the environments we support. I shared some of my past experiences and learned a lot from the community interaction in the comments. Thanks for participating! That kind of interaction is what I strive for, and it's really what makes these forums what they are. I’ve got one more topic I’d like to discuss in this series of blog posts, and I’m curious what you all have to say about it.

 

Just like in traditional SMB and enterprise IT, healthcare IT is concerned about managing mobile devices. In a traditional SMB or enterprise environment, most of the time we’re talking about company-issued laptops, cell phones, tablets, and the like. Sure, they’re carrying potentially sensitive data, and we need to be able to manage and protect those assets, but that’s pretty much where it stops. I’ll talk more about those considerations later in this post. In healthcare IT, our mobile devices are an entirely different beast. Not only do we have to worry about the types of devices mentioned above (and even more so, because even if they don’t carry protected healthcare information about patients, they are able to access systems that contain it), we also have mobile devices such as laptops and computers on rolling carts that move about the facility. We also have network-connected patient-care equipment (think MRI machines, etc.), all of which are potential risks that must be managed.

It all starts with strategy

Every implementation varies, so your specific goals may differ here, but traditional targets for mobile device management include the ability to control what software or applications are installed on mobile devices, control security policies on those devices (think screensavers, automatic-locking policies, etc.), control and require data encryption, location monitoring to help ensure that devices are where they’re supposed to be, or track when devices that aren’t supposed to leave the premises are no longer able to be reached, remote device wipes, etc. These days, there are a lot of commercial, off-the-shelf products that can help with mobile device management, but it all starts with strategy. Before you can start solving all of the problems I’ve listed above, you’ve got to first identify your individual goals for your overall mobile device management strategy. Are you only concerned with enterprise-owned assets, or do you care about BYOD equipment as well? What type of encryption rules are you going to mandate for your assets, and do they even support it? What about systems provided by and supported by third-party vendors? Are you going to require their compliance with your mobile device management strategy? Will you refuse to connect their solutions to your network if they aren’t willing or able to comply? As an IT resource, do you even have the authority to make that determination?  The list goes on. Defining the mobile device management strategy may be the most difficult part of the entire operation.

Once you’ve defined your strategy and the goals that are important to you, you’re going to review the types of equipment you need to support. Are you going to be Apple-only, PC-only, or are you going to support capabilities in a cross-platform environment? Is your mobile device management strategy able to deliver feature parity of everything it provides in this cross-platform world, or are you going to discover that some of your goals are only achievable on two of the three platforms you want to support? In traditional IT, mobile device management is much less challenging than in healthcare IT, mainly because IT usually has the final say in what equipment will and will not be connected to the environment. That's not always the case in healthcare IT.

This post hasn't been about answering questions, it's been about asking them. What I was really aiming for was to get you thinking about everything that goes into mobile device management from a healthcare IT standpoint. How does policy influence it? How do the IT organization's controls impact equipment decisions? What other MDM challenges do you experience now in healthcare IT, and what new challenges do you see coming in the future? What solutions have you found that address these challenges, and what have their shortcomings been? Do you feel like you've been able to achieve your goals? I’d love to hear your thoughts in the comments! Until next time!

6 Comments
MVP
MVP

Nice write up

Goal:  Just say "no" to Personal Devices.  And while you're at it, say "no" to wireless, too.  In for a penny . . .

Result:  It turns out that can be a "career-limiting" decision.

People want it, at any price, at any cost--convenience is king.  So we spend a very large amount of money trying to provide the services and environment they want.  And end up with an environment that's based on a house of cards, that's not as secure, not as reliable, and not as fast as wired networks.

Honestly, copper is king, not half-duplex wireless that can be easily disrupted by Bluetooth or microwave ovens or faulty electrical motors in the ceiling (all of which I've personally had to discover and troubleshoot).

If you want reliability, security, and speed, go wired.  It's simple to adjust your work flow and expectations to this one fact.

So, suppose your work flow actually REQUIRES mobility (never mind that vendors are starting to provide ONLY WLAN connectivity--they're removing the RJ-45 ports, and dropping support for Ethernet over USB ports).  Would you know what that kind of environment might need to look like to "require" mobility?  I work in Health Care, and some places I've been asked to be on board for corporate mobility include:

  • Where a network monitors a patient directly by physically attaching to the patient, and the patient requires mobility for rehabilitation or other needs.  You've got to admit, being wired in this scenario might be a hardship for a patient.
  • A new product's work flow that is based on handing an iPad to a patient in a waiting and asking them to fill out forms on it.  Or IS this REALLY a work flow that REQUIRES mobility?  Couldn't it be done at a wired Guest Kiosk computer in the waiting area?  Sure it could!  Some vendor sold the idea of iPads to a department, and now we're stuck with it.  Uff da!
  • How about monitoring a patient as they go through physical therapy, tracking progress on a wireless device as a patient moves through various exercise stations?  It turns out this is a good "just say no" scenario, since that data can be captured locally on the device and then uploaded to the database when it docks for charging its power.
  • Let's go to one of our warehouses.  Our inventory management people are on fork lifts, going thirty-five feet up in the air to capture bar codes and find things on shelves.  They're scanning incoming and outgoing bar codes to track things moving through the loading dock to/from trucks.  It's not convenient to have to go dock a device just to get a new picking list or update when inventory has been removed or received.

In the above examples, only half of the work flows require mobility.  And it turns out a wired network is a LOT less expensive to install/control/secure/manage.  If your goal is reliable, fast, secure transmission of personal or corporate data, carefully analyze the work flows and take the vendors' sales recommendations for wireless with a grain of salt.  Maybe some work flows don't require wireless.  You'll spend a lot less time troubleshooting invisible wireless radio interference and throwing AP's at problems if you can reduce the WLAN work flows.

What about Personal Devices on the corporate network?

I can do all my work perfectly without having to buy my own personal device and place it on the corporate network's "guest" wireless environment.  Our Security analysis of the personal devices' traffic seems to indicate people want corporate ISP speeds and home ISP lack-of-filtering.  Many use their devices for entertainment (listening to streaming audio, watching YouTube videos, accessing personal e-mail--all functions prevented by corporate policy and by our firewalls for the corporate networks) instead of doing corporate work on those personal devices.

We've used several products over the years to manage and secure and provide access to Personal Devices.  Our latest  MobileIron's product, and it seemed to do the job well enough for Apple iPads and other PDs.

Since we moved to O365 this year, Microsoft has been heavily pushing for us to adopt their In Tune mobile device manager and drop Mobile Iron. The price point is ridiculously attractive to do so, and Corporate Management has said the equivalent of "set up a pilot using Microsoft In Tune and prove it works as well as Mobile Iron, or at least that it works well enough to serve our needs, because it's a LOT less expensive than Mobile Iron."

For me personally, I only use my smartphone for work as a way to approve MFA requests when I'm not actually on the physical property attached to the wired network.

For the corporation, one can understand if they want to get away from having to support users' private equipment, while "enabling" (a.k.a.: "eventually requiring") users to buy & use their own gear, at their own expense, instead of corporate having to buy mobile devices for everyone (and the data plans and support packages that must accompany those devices).

But managing it all, whether corporate or personal, is complex and expensive in employee hours and R&D and tools.

My wife and I had the unpleasant experience of living in a hospital for close to 6 months in early 2007. During that time we became quite close with the doctors, nurses, and staff. They were all using a wireless voice-paging technology around their necks that was wireless. They all loved it over the antiquated overhead paging system. So there are some obvious benefits to wireless in healthcare but I agree with the quorum that it shouldn't be used when their is an alternative available.

I support a wireless "Star Trek Communicator Badge" type of walkie-talkie that health care providers use on our 802.11 networks.  Where it works, it works pretty well, and everyone relying on it says that would never go back to the old ways.

Of course, they MUST keep up with old ways for "down time procedure" practicing.

Where it doesn't work, providers and hospitals have thrown it out in frustration.

I know it took a very long learning curve to get it working in our hospitals, which included a long trial & error discovery of its multicast requirements across LAN and WAN.

802.11 networks, especially the 2.4 GHz radios, are over-subscribed, have too few channels, and are subject to easy disruptions from any number of sources.  But E.R. staff love the wireless tech, and I can't blame them.  It gives them fast access to specialists that can't be accomplished with pagers or cell phones--especially deep inside a large building, or below ground basement levels, where cell coverage is poor or absent.

That said, the comm badge providers don't give an accurate description (IMHO) of their technology's limitations and vulnerabilities.  Providers just assume it will work everywhere, can scale to the WAN and without limitation, that it's secure and fast and reliable.

But it runs on 802.11 technology, and is not ubiquitous, scalable, secure, fast, or reliable.

Sigh.

Keep 'em practicing their down time procedures, and watch for better technologies that use protected and limited spectra.  And just say "no" to adding more wireless tech to the environment that supports your E.R. wireless communications if you want what limited reliability it can achieve.  Overusing / crowding that environment, no matter whether with more and more 802.11b devices, or SSID's, is not a great idea, no matter how much providers and the C-Level want it to be.

Level 11

I like anything Star Trek.  I would use a communicator badge.

Level 13

Space the final frontier