Have you heard the term “Consumerization of IT”? If you happen to be a hospital or health system CIO or a member of his or her team, I doubt that I need to explain what that means. You are feeling the tension of it every day For the rest of you, let me provide a quick review of what’s causing all this tension between clinicians, consumers and IT professionals.
At the end of the day, clinicians (doctors, nurses, and others who work in hospitals and clinics) are consumers just like everyone else. And doctors in particular, because they have more disposable income, are often drawn to the latest, greatest consumer technological wonders. If there is a shiny new smartphone or a remarkable new slate tablet computer, chances are a lot of those devices will end up in the hands of doctors. It is also true that it is increasingly difficult to practice medicine without one of these devices. Not only are medical records going digital, but today’s highly mobile healthcare workforce can hardly function without remote connectivity to their patient and practice data. Finally, today’s so-called flexible work styles demand remote connectivity and mobility as work life and home life become increasingly blended.
So, here’s the rub. Gone are the days when the hospital or health system’s IT department supplied all of the devices their organization’s employees use to do their work. Today’s employees often want to work with the same devices they use in their personal lives. This is especially true for community clinicians who are not employed by the hospital or clinic. The last thing they want to hear from someone in the IT department is that they cannot while working in the hospital use that beautiful new phone or cool new computer they just bought at the big box store. Damn it, Scotty! I’m a physician, and I’m going to use whatever I want to use. Just “make it work”.
Of course the CIO has a legitimate concern about all these devices coming through the door to his organization. How will he maintain the security of the hospital’s network? What about exposing the health system’s network and applications to malware or viruses? And what if that doctor’s smartphone or tablet, once connected to the network, downloads and stores personal financial or health information in its memory or hard drive? What if that device is then lost, or heaven forbid stolen by someone with bad intensions? These are very serious concerns that sometimes come with stiff civil and criminal penalties when things go wrong. So what is a CIO to do? Saying “no” all the time won’t win friends with clinical staff. Have you ever told a hospital’s leading cardiothoracic surgeon that he or she can’t have something they want? Good luck with that!
Dealing with this situation starts with good institutional governance. You really want to get ahead of the curve. You need to very proactively provide guidance to employees and community clinicians about the personal devices they use and why they may pose a danger not only to the organization, but to patient privacy as well. That guidance might also include things clinicians should consider when buying a device for use in a hospital or clinic setting. Is the device rugged enough for the environment in which it will be used? Will it hold up to accidental drops or spills? Is it possible to clean or wipe down the device with chemical disinfectants? If the device is lost or stolen, is the data on it encrypted? Can the device be managed on the network, and perhaps even have its memory erased remotely should it be lost or stolen? Can the device be connected easily to other peripheral devices for file and print or reading bar codes.
Microsoft provides software and solutions that will make the CIO’s life a bit easier. For instance, our enterprise System Center 2012 (currently in beta) will not only provide the best experience possible in managing Windows devices, but also best in class management of other devices that find their way into your organization. You can manage access to your network and applications based on the end user’s unique identity and organizational role. You can also manage network access of the devices themselves, segmenting their access to enterprise applications and information according to high, medium, or low business risk. Other solutions such as Windows Intune will continuously protect your network from malware and viruses that might come along for a ride on the consumer devices connecting to your network.
To learn more about about the “Consumerization of IT” and strategies that will help you keep your hospital, clinic, or health system safe while satisfying your most important customers (clinicians, patients and visitors) visit this special site. Additional helpful information for the enterprise CIO can be found here.
Bill Crounse, MD Senior Director, Worldwide Health Microsoft
I think it can be attributed mainly to internal policies and procedures that dictate a doctor's use of personal technology - for example, here at Online Tech, we've been warned to avoid using public wireless internet with our devices, and to use VPN only for remote access as part of our own HIPAA security training. Same goes for password policies - never email, always change them, etc.
Consider these "lessons learned" from undergoing a HIPAA audit: resource.onlinetech.com/hipaa-compliant-it-security-and-best-practices