Enter Your Email Address to Receive a
Copy of MedicExhange Member Demograhpics

Properly securing patient data goes far beyond a physician's user name and password.

Facility-issued computers - from desktops to Carts on Wheels ( COWs ) - are typically enabled with various security settings that ensure patient data is seen only by the right people at the right time in the right settings (and that's the simple explanation). As the tablet form of computing becomes more popular day by day, and doctors bring their personal devices to work, healthcare organizations are having to rethink their security strategies.

Personal Devices
Larger organizations like the Kaweah Delta Health Care District and WellSpan Health System consider the iPad a personal device, and so have not yet instituted a formal management strategy with regard to their physicians' use of these kinds of tablets. The ability to connect to a Citrix Receiver is necessary, however, if physicians want to use their tablets in any type of clinical setting.

The Citrix Receiver application "allows organizations to manage the proliferation of new devices entering the workplace by providing secure, high-performance delivery of virtual desktops and Windows, web and SaaS applications on any user device," according to the company.

"The iPad is a very successful consumer product," says Donald Slow, IT Program Manager at York, Penn.-based WellSpan Health System. "Other tablets have had limited success in the clinical space. Because of this, WellSpan Desktop Services is building solutions to allow our application users to connect regardless of hardware and operating system."

The thinking is much the same at Visalia, Calif.-based Kaweah Delta Health Care District, whose doctors use the iPad to view X-ray images, examine patient records and access their desktops. "Kaweah Delta does not provide equipment for physicians," explains Dave Gravender, Vice President and CIO, Kaweah Delta. "The only requirement is that the hardware is capable or has a Citrix Receiver client. We provide information to the physicians on how to set up the Citrix client and they self-service configure. They already have Citrix credentials assigned via access from home and office. Since we use the Citrix platform for connectivity, no data is stored on the devices. We do enforce the security code entry during device startup. Upon a certain number of failed attempts, the device will self-erase."

Issued Devices 
Some facilities choose to issue tablets to their physicians, and as a result, have developed a formal management and security policy for those technologies.

Sacramento-based UC Davis Health System has provided its clinicians with specialized tablet computers for a number of years. One such example is Motion Computing's Motion CV5, a tablet designed for healthcare settings. "Meaning it's hardened (won't break if you drop it on a hard floor); you can literally wash the device with alcohol without hurting it (to sterilize the computer after using it in a patient room or surgery suite); and has an optional barcode reader if used for barcode-supported medication administration," explains CIO Mike Minear.

"We have only deployed around 80 of these computers, and for the time being their use is limited," he says. "The key issue for tablets is that very little of the software applications we use are 'pen enabled.' Also, tablets are great for viewing data, but without pen-enabled software, tablets often are not as useful to enter a lot of data with. In most healthcare settings, clinicians need to both view and input data, and a real keyboard and mouse is hard to beat."

Minear adds that for the reasons above, iPad adoption in the clinical setting doesn't look as promising as some news reports would have readers believe. "We probably have over 100 physicians, nurses and other clinicians using some form of tablet computer that UC Davis Health System has provided," he says. "I know many have their own iPads, but due to some technical issues with the iPad (for example, the browser does not support all functions such as Flash), not all software is accessible from the iPad."

He does, however, feel that it will be a great benefit to doctors on call and off site. "The UC Davis Health System uses the Epic Systems electronic health record, and this vendor is coming out with an iPad version of its EHR software for clinicians called Canto. I believe the iPad version of Epic will be most valuable to clinicians on call - where they must quickly access a patient's clinical information off site and off hours. This may be the sweet spot for the iPad and the Epic EHR version."

The UC Davis IT department has a number of technologies in place to secure devices that access the system's software and patient health information. "We make extensive use of encryption technologies when software/data is accessed via a network," Minear explains, "and we also encrypt microcomputers and mobile computers. We support encrypted emails, and have a tethered Personal Health Record that allows our clinical care teams to send and receive secure messages with patients. We also have multiple layers of firewalls, intrusion protection and network access control technology that secures the networks that tablets or other computers utilize."

Security Solutions 
Physical theft and the compromising of patient data are the top concerns of providers when it comes to securing tablets, according to Clay Bozard, President of Advance2000 Inc.'s Medical Division. The company offers multiple security solutions including encryption and desktop virtualization, which enables the tablet to act as a data access device, and ensures that all patient and other sensitive information stays in the company's HIPAA-compliant data center.

"Most customers are definitely heading towards tablets," says Bozard. "In physician practices, tablets are often preferred for e-signature capabilities. The use of iPads is growing in hospitals because of the lower cost, increased mobility and longer battery life compared to laptops."

Bozard explains that, in his opinion, there are unique security challenges in the cases of both personal and hospital-issued devices. "Where hospitals provide the device, there is the concern of accountability and cost," he says. "How do hospitals assign devices, especially with an affiliate physician model? How many devices do hospitals purchase - one for each physician? In the scenario of allowing physicians to bring in their own device, how does the hospital provide support to a device they don't own or manage?

"My opinion is that allowing physicians to bring in their own device is the best approach," Bozard says. "To mitigate the network security and management risk, device fingerprinting and desktop virtualization can be used. Device fingerprinting is a technology feature in wireless networks that identifies specific devices and allows them to only access specific resources. The technology can fingerprint a physician-owned device, a hospital-owned device, a patient-owned device or even wireless medical equipment, and segment them on your network. The physician devices may only have access to virtual desktops that are managed by the hospital. This design would address both the network security concern and the device management concern."

Tablet Take Over? 
The popularity of tablets like the iPad can't be denied, and neither can the security measures that healthcare organizations must implement to integrate them into physicians' workflows. As tablet technologies evolve and mobile healthcare becomes somewhat standardized, providers will have to reassess and evolve their security measures. After all, the patient that oohs and ahhs over a set of X-ray images on their doctor's new iPad should also rest easy in the knowledge that their healthcare information is safely locked behind digital doors.

Source: Billian's Healthdata

See more about iPad Medical Apps