Let’s say a physician at your organization, who I’ll call Dr. Knowhow, approaches a member of your IT department and asks whether she can use her new smartphone to tap into the organization’s network and interface with the electronic health record (EHR). How do you respond? Do you say yes?
There is no easy answer to Dr. Knowhow’s question. However, there are a number of things to consider when determining the most appropriate answer for your organization.
On one hand, when an organization has a “bring your own device” (BYOD) policy, it can introduce a whole host of risks. For example, how do you protect each device to avoid jeopardizing patient privacy and health information security? How do you limit access to the device to prevent inadvertent data breaches?
Compatibility issues are also present if providers bring in devices that don’t work well with your operating system, wireless network, or software applications. Plus, it seems like every week a new device hits the market. Keeping up with emerging trends and supporting all these devices can put undue strain on your IT department.
On the other hand, BYOD can have some advantages in terms of increasing provider engagement with health information technology (HIT). While physicians have been slow to embrace HIT solutions, such as EHRs, they are early adopters when it comes to smartphones, tablets, and other state-of-the-art hardware. By allowing providers to use their own devices at work, you can potentially boost user adoption of and comfort with HIT tools—not to mention reducing the costs associated with purchasing hardware for physician use.
Before you allow providers to bring their own device, it is important to set up policies and procedures that govern what types of technology you will permit and how you will support those tools. Within these policies, there should be a defined and required process for loading organization software, VPN, firewalls for security, and so on. Your organization may even want to install software that helps you locate and track a device if it gets lost or stolen, and, if necessary, wipe the data remotely.
Fundamentally, a BYOD policy can’t be a “bring any device” (BAD) policy. There must be strict parameters in place to govern what can come in to the organization and how it will be supported. A strong infrastructure is essential to mitigating risk and ensuring that devices facilitate optimal patient care instead of hindering it. To that end, you should work with your vendor to review which mobile devices they have tested or which they recommend and in what settings (office, hospital rounding, etc.) their applications are best suited.
So, getting back to the scenario at hand, allowing Dr. Knowhow to bring her own device depends on whether you have a BYOD policy, what’s included in that policy, and whether or not users understand their roles and responsibilities. Taking each of the aforementioned items into consideration is essential to instituting a BYOD policy which may help to increase usability and, ultimately, provider satisfaction.
Has your organization implemented BYOD? How did you manage the policy?