One CIO’s Approach to BYOD


A popular topic for hospitals right now is whether to allow employees to use their personal smartphones for staff communications and patient alerts. “Bring your own device” (BYOD) is a challenging issue because it encompasses so many questions related to an organization’s costs, security risks, IT availability, and technical support. I recently talked with Bill Phillips, senior vice president and chief operating officer (CIO) at University Health System (UHS) about the subject of BYOD. Located in San Antonio, and owned by the people of Bexar County, UHS is a nationally recognized teaching hospital and network of outpatient healthcare centers with more than 6,000 employees and 800 physicians and residents. Phillips shared his approach to BYOD, the evolution of their program, and the current progress at UHS toward a solution: – Brian Edds, vice president of product strategy at Spok.

Bill Phillips: BYOD is a topic every healthcare organization is dealing with right now. The biggest concern with allowing personal devices is security-for employee data, organizational systems, and especially patient information. To make BYOD a success, developing a larger communication strategy that defines the technology, people and processes involved is crucial.

One big challenge is that across the country, physicians are doing what the rest of us do every day, using standard text messaging (SMS) to communicate. It’s a common practice, but not a safe one because information sent this way is not secure. While we can’t stop unsecured texting altogether, what we can do is educate hospitals on the potential risks and use technology to try and control it.

At UHS we used to purchase devices for employees, but it became a mess. Once you open that door, it’s a lot more than just buying a phone-it becomes the maintenance of the phones. You get into minutes and shared minute plans, figuring out bill-back and who pays for what portion of the usage. It was becoming too much hassle and expense. This made BYOD an appealing option, and the process for us started several years ago.

Containerized Options

We knew the problem was out there, and that we would need a systematic approach. We tried other types of products, like voice tools for nursing staff, but clinicians didn’t like these because they prefer not to be overheard, so finding a secure texting solution became a priority. One of the first things we did was allocate budget and start evaluating our options. We planned ahead and beefed up our Wi-Fi coverage everywhere, including stairwells and hallways, as well as installed a distributed antenna system (DAS) for the comprehensive cell coverage we knew we would need.

At the same time, we wanted to look at the bigger picture and started to think about a larger solution for BYOD in general. Beyond secure texting we have to think about system access and information security on personal devices. The solution we’re pursuing is a ‘containerized app,’ like a portal which employees go through to access hospital systems.

The benefit of this approach is that a separate ‘container’ for business would mean if a device is lost or stolen, or if an employee moves to another organization, we could remotely wipe sensitive hospital and patient-related data. We also don’t want to be accused by employees of looking at personal information. This is actually a big consideration for me as we move forward. In order for a solution to work, employees have to use it, so we need to build up the trust and assure people that we will not be looking at their personal information. I expect it is a question we will address a lot, so my team and I are trying to prevent that fear from the beginning.

We are in the midst of assessing a specific containerized option right now. The IT team is trying to poke it full of holes to make sure it will work for us in our environment. We don’t want there to be any surprises or unforeseen security gaps, so we’re investing time up front to explore functionality and prevent potential future problems.

SEE ALSO: Data Collection From Mobile Devices

In addition to the container allowing us remote-wipe capabilities and helping address potential concerns over privacy on personal devices, the container approach is a strategic choice that lets us set up one icon for all of our UHS applications: email, the EMR, the secure texting app, etc. That way we will get the protection we need, and can still give clinicians a way to do their work. We want to make sure our end users can still do what they need to do. Our goal is to protect, but we can’t hinder patient care in the process. To achieve this, part of our assessment also includes questions such as: How cumbersome is it to switch applications? Is the email sync taking too long? These types of considerations are important to think about and explore before an implementation to ensure usability.

Before & After the Roll Out
Once the container solution has been vetted, our rollout needs to be carefully organized because the magnitude of this project is so big. We plan to go service line by service line. For our smaller ambulatory facilities, we can probably enroll a whole facility at a time. Our IT staff will work with end users to provide the necessary touch points to get everyone started, including downloading apps and configuring changes. The solutions we’re looking at don’t require a lot of training; they were pretty straightforward when I installed them on my phone. The biggest thing to teach people is that there are configurable settings on the phone itself that are separate from settings within the container and within each app in the container. It’s pretty simple, but it’s important to understand the difference.

“We have to provide what patients need, yet balance that with protecting our organizations.”

Tweet this

After roll out we will enforce the change by restricting system access. If staff want to access the UHS systems and email via mobile device, then they will have to do so through the secure product – they won’t be allowed to play outside our secure environment. This doesn’t fully address texting, though, which is why we’re being careful to build trust and identify champions in the organization who will help sell it for us.

We’ve also been talking with staff about secure texting for a while, setting the stage for change. I’ve presented this topic at quality risk management meetings and to the medical executives. They’re all excited and can’t wait. Right now clinicians are having to be so careful about what they put in a text because they know it’s not safe. They’re excited for the solution to be available-it will protect them, the organization, and their patients.

For the solution itself we worked closely with our physician group and chose Spok®. It will work well within our security envelope. It allows for encrypted text, video and image sharing, and is part of a larger communication solution that brings together the directory and on-call schedules. It’s about usability and being able to reach the right person quickly and easily.

I talk with healthcare execs and clinicians all over the country, and a lot of us are dealing with this same issue of mobility. We have to provide what patients need, yet balance that with protecting our organizations. Though it is difficult to get that happy medium, I am confident UHS is on the right path for our organization and our staff.

About The Author