I’m probably going to go a bit over my head here in exploring whether hospitals or health systems can really securely deploy iPads (or any mobile Apple devices) as enterprise devices. This is obviously relevant. I’ve heard from multiple vendors that providers are asking about iPad versions of web applications.
I’ve also read about mobile device management (MDM) several times in the last several weeks, first with the new Voalte-MDM partnership and second with the recent VA RFI. And just this week, I’ve had several discussions about the challenges of actually deploying tablets — specifically iPads — as enterprise devices.
I like my iPad. It’s a great tool for clinicians for both data access and order entry. I’m not as concerned as most in healthcare about security. I’ve seen such blatant HIPAA security violations that I can’t imagine that having access to PHI or other sensitive information over mobile — as long as the mobile device isn’t storing the data locally — would make it any worse.
Maybe the reasons I’ve seen so many violations are that I know a lot of medical students and residents. I’m not really sure though as I’ve seen other violations from academic and community docs, especially in the spirit of research. Some examples include leaving paper medical records in public or semi-public places (including on printers at libraries), e-mailing charts or reports over Gmail (university e-mail is just not user friendly) to provider friends and family to fax or scan, and text messaging patient information (this seems like a daily thing.)
These things happen all the time, at least in my experience, so I come to the HIPAA discussion with low expectations. Maybe some providers are more cognizant than others, but I think most just do what needs to be done to get their work done. If a provider needs to reach a colleague and ask a question involving PHI, SMS might be the easiest process and that’s likely what will be used, despite the insecurity of SMS.
With that in mind, I went out to see what options existed for securing an iPad. Little did I know (and maybe I should have) that the Apple Push Notification Service supports third-party MDM services. The way it works (shown below), is that MDM vendors can use Apple Push to poll and modify managed devices at any time.
The Apple Push Service supports several key restrictions on devices (the full list is more extensive than this) with its messaging:
- Installing/Removing apps
- In-app purchases
- Safari/iTunes/YouTube access
- Passcode requirements
- Account setup (Wifi, email. VPN, etc)
- Device info (network, MAC, UDID, build version, etc)
- Remote Lock
- Remote Wipe
- Clear Passcode
To do any of this with an iPad or an iPhone, you’ll need more than Apple Push, because that’s only the connectivity component. You’ll need an MDM server, which is exactly what the VA is looking for with its RFI. The VA is looking for an MDM solution that can support up to 100,000 devices running across all of its facilities. This will be a national solution. The RFI does not specify a mobile platform, instead stating it will test Windows, Android, and the iPad.
The only MDM vendors that I’ve heard of are Good Technology and AirWatch, the vendor that recently partnered with Voalte. These device management solutions support all of the configuration options that Apple supports and make it easy to manage lots of mobile devices across an enterprise regardless of mobile operating system.
The next big question is whether a health system would support a bring-your-own-device (BYOD) strategy. I know providers would love it and both AirWatch and Good Technology support it by providing specific security around certain apps. I’m not sure the app restrictions on a provider-owned device are adequate for a health device. Well, I think they are enough, but I’m not liable if something happens, so I’m not sure I’d have the same opinion if I was potentially personally liable.
Are iPads really secure using an MDM server with Apple’s Push Notification Service? Compared to the way I see security now, I’d say yes, but I’m sure some CTOs and technology folks would disagree. The issues with security are and will always be human issues. Providing access to sensitive data over mobile won’t change that.
What is the VA and other systems likely to do, at least if you assume mobile is coming? I’d be very curious to hear what CIOs have to say to that. I know John Halamka, MD, is a big fan of mobile and has written on how to deploy mobile in a health system. He was also featured at a recent Apple event, if I recall correctly.
My bet is that systems like the VA will end up purchasing a certain number of tablets for employed physicians, which is a growing percentage of physicians, and provide limited support for affiliated physician groups.
But this is only related to health systems. Independent community docs will be using their own iPads and iPhones with Practice Fusion and drchrono and others, likely without any major security platform installed.
Travis Good is an MD/MBA involved with health IT startups.