BYOD Trend Affecting Healthcare and Patients

The consumerization of mobile devices poses unique challenges for healthcare CIOs, who are tasked with maintaining security, streamlining productivity gains expected of the industry’s growing mobile workforces, and implementing information technologies that ultimately lead to improved quality of care.

For a glimpse into how one leading healthcare organization is managing the bring-your-own-device (BYOD) trend, I reached out to Hal Baker, M.D., vice president and CIO at WellSpan Health Systems.

With more than 9,000 employees, volunteers, and physicians, the health system includes WellSpan Medical Group, 35 outpatient health care locations, and three respected hospitals: WellSpan York Hospital, WellSpan Gettysburg Hospital, and WellSpan Surgery & Rehabilitation Hospital.

Dr. Baker reports his organization is down to less than 40 Blackberrys, given the rise in popularity of Droid and iOS devices among physicians, nurses, and administrative staff.

While hourly administrative staff member’s mobile devices are not connected to the health system’s network because labor laws prohibit such employees from working off-hours, physicians’ and medical salaried staff’s devices are loaded from Exchange Server to ensure confidential information is adequately protected. This approach can work well for health systems, provided Exchange Server runs on the server side and the organization can provide access from client software running on a mobile device.

Virtual desktop

To better manage the BYOD trend—and to make the organization’s own devices easier to support and less expensive to manage—WellSpan has begun implementing a virtual desktop solution running Windows 7 in a server array. Unlike thin client solutions, it functions similarly to PC Anywhere, bringing up what is essentially a brand new PC for laptop and desktop users every morning.

“Our virtual desktop set-up is nice because none of the data leaves the data center,” says Dr. Baker, “so, there’s no footprint on the laptop. Users can log out and have it sit in a suspended state without worrying about anything being resident.”

In addition, Dr. Baker’s team has set up a throttled guest network that is shared by staff bringing in their own devices, as well as patients, families, and guests. Doing so has helped WellSpan reduce internet saturation due to bandwidth intensive sites such as YouTube.

As his department disables older encryption networks, such as WEP, Dr. Baker anticipates the creation of another guest network for workforce and medical staff. This additional network will run off WellSpan’s domain because he doesn’t want to put unmanaged devices on the organization’s domain for security reasons. A full-time security team prevents issues from developing among users who may seek workarounds.


For healthcare organizations, the age of accountable care hinges on being able to reach people in their homes, especially patients who are at high risk of readmission.

However, the same mobile technology that empowers staff to send photos of a patient’s condition to a physician may also place the entire health system at risk of a HIPAA violation if those images end up on an employee’s iCloud, or accidentally posted to Facebook. It’s not that a staff member would deliberately share such information, more a risk of unintentional connectivity that extends from the consumer realm into the healthcare space.

In WellSpan’s case, the health system made a business decision to connect mobile staff, such as visiting nurses, via email not text. Information shared among medical staff through mobile devices remains encrypted during transmission and does not enter the EHR until a physician forwards it to the records department so it may be added to the EHR.

“Our challenge,” says Dr. Baker, “is to try to leverage the consumerization of communications—text messaging, pictures, Skype, Facetime—to allow connectivity for the coordination of care, which is all the good stuff, while doing it in a way that protects the sanctity of security that HIPAA, I think, reasonably expects of us.”

Toward that end, WellSpan has installed a Symantec product on all laptops and USB drives, and has enforced encryption on all connected smart phones. Any file downloaded, copied, or received as an email is now automatically encrypted.

The IT team also has educated staff and physicians on why it’s necessary, for example, to enter a password to access a PowerPoint presentation.

Yes, it’s a pain, but already the approach has paid off. Last year, a WellSpan employee’s car was broken into and a laptop that contained protected health information (PHI) was stolen. The organization was able to sidestep a breach—and appearing on the dreaded Wall of Shame—because the IT Department could show the laptop was fully encrypted and in a locked state.

Mobile apps

Although WellSpan does not formally participate in an ACO program, the health system provides significant primary care through its medical group, effectively serving as an accountable care organization for the uninsured population in its community.

While many in this population don’t have a computer or high speed internet in their homes, a surprising number regularly access the Web via smart phones.  With so many patients now bringing their own devices to facilities, WellSpan has opted to develop its own mobile app for patients, a move Dr. Baker expects to further improve quality of care.

The health system’s mobile app will offer appointment reminders, directions to offices and facilities, and barcode scanning for refilling medications—for starters.

Granted, such apps are widely available through third party vendors, but Dr. Baker feels mobile offers an opportunity to stay connected with a population of patients for whom it is WellSpan’s mission to keep healthier. After all, four 15-minute visits per year aren’t as effective at keeping a diabetic patient under control as a provider who can stay in touch monthly, or weekly, via the Web.

“If we’re going to reach our patients and give them information, then lBYODet them see what their lab results show, let them communicate with us when they get off their night shift at 4:00am, or after working a second job,” Dr. Baker says. “We need to be able to reach out to them through this technology.”

What questions do you have?

As a B2B journalist, John Farrell has covered healthcare IT since 1997 and is Intel’s sponsored correspondent.