How does a CIO craft a bring-your-own-device strategy for a medical establishment? Between shifting regulatory requirements, steep fines for exposing patient data and big professional egos, it can be a high-wire act. Just ask Jason Thomas, CIO and director of information technology at the Green Clinic Health System, a large private practice based in Ruston, La., that has six satellite locations and 450 employees.
"You've seen the movie Office Space, where the character complains about having eight different bosses? Well, I have 54," said Thomas, who joined the physician group five years ago. "Every doctor in our organization is an owner. And when they don't like the equipment you give them, they bring in their own."
Three years ago, the physicians' prerogative wasn't much cause for concern. Green Clinic locations didn't have Wi-Fi and the docs "couldn't do much" with their phones, Thomas said. By late December 2010, however, a perfect storm was brewing: Investing upwards of a million dollars, the practice had gone live with an electronic medical record system, a robust wireless system was in place to support EMRs, and the battery life on personal devices was improving. Oh yes, and Apple had rolled out the first iPads. There now was plenty of work that could be done on personal devices. "We had to have some policy in place," he said. "Our BYOD strategy started as a reactive measure to the equipment they were bringing in, new phones, laptops, tablets."
A BYOD strategy shaped by HIPAA and HITECH, subject to controls
The Health Insurance Portability and Accountability Act (HIPAA) and tough new data breach laws ushered in by the Health Information Technology for Economic and Clinical Health (HITECH) Act provided another push to craft a BYOD strategy, Thomas said. "For every instance of willful noncompliance, the fine is $10,000. If two people decided to bring in the same phone and do the same dumb thing with it, that's $20,000."
I tell people that we need their input to make sure that what they buy works on our systems and doesn't put a big hole in their pocket.
CIO and director of information technology, Green Clinic Health System
One thing that helped keep Green Clinic stay on the right side of the law was Microsoft Terminal Services (now Remote Desktop Services), Redmond's version of thin-client computing.
"All our applications are Windows-based. If you came in with an iPad, there was no app for it," Thomas said. "So, we were able to get them all using a remote desktop app to pull up a Windows desktop and access medical apps that way." Tablets and phones are managed using Microsoft ActiveSync. "They bring it in and ask us to set it up. We join it to our Exchange Server, which automatically encrypts the device and puts a pin code lock on it, so if it is stolen or lost, nobody can get into it," he said.
Doctors continue to use their personal laptops at work -- but now with the stipulation that these are managed like any other clinic device. "The only thing above and beyond is we give them local admin rights on their machine, so they can do what they want with it when they take it home," Thomas said. Data is automatically encrypted on the hard drive and in transmission, with the help of the K1000 and K2000 series of the Dell KACE systems management appliance, which Thomas uses to manage Green Clinic's IT systems. The KACE agent also allows Thomas to support a device remotely and wipe the hard drive if it's lost or stolen.
"Other than our forcing them to buy their own upgrades to make their personal devices compatible with our systems, most of the docs have been extremely supportive" of the BYOD protocol, Thomas said. "They know HIPAA-HITECH has given us a fine line on what they can do."
IT as BYOD consultant
As the trend toward using personal devices at work has picked up steam, Thomas and his IT organization find themselves taking a more proactive approach to their BYOD strategy, even acting as consultants to employees in the market for a new device. "We are a service organization," Thomas said. "I tell people that we need their input to make sure that what they buy works on our systems and doesn't put a big hole in their pocket."
More about BYOD strategy
Adopting a BYOD policy, phone by phone
BYOD and ITIL: Never the twain shall meet?
Last summer, for example, when back-to-school deals were in the offing, Thomas said IT sent out notices offering to help: "Come talk to us. We can tell you what some of the capabilities are, what other people bought, or additional costs." That new laptop from Best Buy with Windows 7 Home, for example, would have to be upgraded -- at the employee's expense -- to Windows Professional to work with clinic systems. As for Mac lovers, they are duly warned they're not only buying a more expensive machine than a PC but will also pay a premium to have Windows on it.
As a result of the advice, "doctors see us as a resource and not somebody that's telling them to change a password," Thomas said. That goes for Green Clinic staff too. "It's been a drastic change for us. We have people bringing us cookies all the time."
Let us know what you think about the story; email Linda Tucci, Executive Editor.