Mobile device management (MDM) strategies for healthcare organizations

Photo by rawpixel.com from Pexels

The value of customer data is a top priority for any enterprise. Patient health information (PHI) carries higher security stakes, requiring mobile device management (MDM) and accompanying strategies to secure this high-value information and ensure patient privacy.

Mobile strategies for HIPAA compliance

When users access PHI using an unsecured device, they are violating the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, according to HIT Infrastructure. Such violations bring costly fines and lots of bad press.

Further complicating the issue, doctors and other professionals accessing the data may not even be employees of the hospital where they are providing patient care. IT must prepare for this BYOD scenario. Creating BYOD policies for healthcare organizations requires:

  • Defining cases for acceptable use
  • Detailing privacy and data ownership expectations
  • Approving devices and device provisioning
  • Crafting security policies for BYOD devices
  • Evaluating risks and liabilities

It’s possible to bring mobile devices into HIPAA compliance by developing an MDM or enterprise mobility management (EMM) strategy and implementing the appropriate security policies to secure PHI and institution-owned or BYOD devices. Achieving such compliance may require bringing in a third-party professional services firm that specializes in mobility compliance. You should also be working with your outside auditor at every step of your mobile device rollout.

HIPAA compliance also extends to texting, group chat and instant messaging within a healthcare enterprise. There’s a growing list of HIPAA-compliant messaging solutions that target healthcare enterprises. Client apps for these solutions are often available for:

  • Corporate-owned devices
  • Employee-owned devices
  • Corporate-owned PCs
  • Personal PCs

Physical working environment

The healthcare industry workforce is on their feet for eight to 12-hour shifts, with much of that time spent responding to immediate patient needs and emergencies. These working conditions make it easy to leave a mobile device on a counter or a table; the open nature of a hospital makes it easy for somebody to walk off with the device inconspicuously, never to be found.

Having MDM with geofencing, which uses a mobile device’s GPS to create a boundary that triggers a response when a user crosses it, can also protect PHI from leaving the healthcare facility. For example, you can set a policy that blocks access to hospital applications that contain PHI from all corporate and BYOD devices running an MDM client app as soon as the user leaves your facility with the device. When they return for their next shift, the geofencing solution restores their application access.

Wearables and connected devices

Wearables are becoming increasingly popular with consumers, and the healthcare field is finding ways to use wearables for patient monitoring outside the traditional healthcare setting. Healthcare providers may issue patients a wearable for use in monitoring a health issue. There are also patients who already own a wearable device that captures data that might help their doctor to further monitor their health condition.

Healthcare enterprises face many of the same challenges as a commercial enterprise when securing wearables, but they have the added need of strict HIPAA compliance. The amount of PHI data these wearables generate also prompts the need for strong data governance and an MDM strategy. Your data management policy will need to account for:

  • Patient data ownership
  • Privacy policy compliance
  • Cybersecurity protections over the data in transit and at rest

These challenges extend to medical devices such as insulin pumps, defibrillators, CPAP machines, cardiac monitoring devices and oxygen tanks equipped with IoT sensors for remote monitoring. These medical devices provide real-time information to caregivers and clinicians while enabling the patient to receive care at home. Sensors Online explains these devices face the following challenges:

  • Design: The design process for a remotely monitored device is different from those designed for in-hospital use and different from common IoT devices, such as telematics or security devices.
  • Certification: The often-underestimated wireless device certification process, which is separate from the FDA’s testing for all new wireless devices.
  • Collaboration: Connectivity challenges are posed from manufacturers all the way down to the people who manage these devices.

The OWASP Secure Medical Device Deployment Standard provides a guide and checklist for deploying these network-enabled devices. You can expect to see MDM vendors evolve their IoT security portfolios to secure these devices. Blockchain, the secure digital ledger, shows promise in helping secure medical devices, according to Network World, but it is an emerging security technology that is still suffering performance hurdles.

Mobile device management in healthcare organizations

The prognosis for implementing mobile device management in a healthcare enterprise is healthy if the healthcare institution’s IT staff works closely with their user community and outside auditors to implement HIPAA-compliant mobile solutions that empower clinicians and other healthcare professionals to serve their patients better.


This post originally appeared on Mobile Business Insights on January 11, 2018. The site is no longer in publication.


My name is Will Kelly. I’m a technical writer and content strategist based in the Washington, DC area. I’ve written for corporations and technology publications about such topics as cloud computing, DevOps, and enterprise mobility. Follow me on Twitter: @willkelly

5 Lessons from healthcare BYOD


Healthcare institutions and Bring Your Own Device (BYOD) policies might seem at odds due to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and concerns over Personally Identifiable Information (PII).

However, after speaking to some healthcare IT experts, the same concerns about endpoint security, data governance, and mobile device management (MDM) exist but with the added concerns of stringent compliance programs that protect patient information.

Here are five lessons from healthcare BYOD for other industries:

1. BYOD can interconnect organizations and cross hierarchies
Healthcare has had to adapt to what doctors do,” says Chris Davis, senior solutions architect, Verizon Enterprise Solutions. “The healthcare industry is a collection of providers agreeing to participate together much different from some of the other corporate driven practices and hierarchies.”

“It’s from necessity, not out of design,” adds Davis about healthcare BYOD. Early adopters, even Millennials, aren’t part of the healthcare BYOD discussion.

2. Outsourcing enterprise mobile and BYOD security is an option
Changes in mobile devices and mobile security technologies can be hard for some companies to manage. This is leading to a growing outsourcing market for BYOD and mobile security including managed service providers and professional services firms.

Julee Thompson, Chief Healthcare Executive for Sprint, recommends that healthcare institutions seeking out technology partners to handle mobile/BYOD security. This advice is applicable across industries as organizations of all size move to secure their enterprise end-points and corporate data.

3. Separate data from the device for BYOD security
HIPAA focuses on protecting the data, not the device. This makes healthcare IT focus on protecting data using Virtual Desktop Infrastructure and SaaS-based applications, thus taking patient data and PII off employee devices.

“It depends on what you are using the device for. As an example, device security really is the is the thing most providers and administrators are going to be concerned about with BYOD,” says Daniel Cane, CEO of Modernizing Medicine, a provider of cloud-based Electronic Medical Records software. “If the data isn’t residing on the device, I think it’s a lot easier to have a BYOD environment.”

4. Compliance programs raise the stakes for BYOD
The ramifications for a security breach in a traditional corporation are a heck of a lot less draconian than a breach with HIPAA,” says Cane. “A HIPAA breach is a lot more punitive than a software breach so BYOD if you aren’t using cloud applications can get very scary, very quickly.”

He also adds that information is the asset that has to be protected whether that is on corporate or personal computing devices.

5. Keep lost devices a focus of BYOD security
Healthcare is a highly mobile profession with a user community that’s literally on their feet all day running from crisis to crisis. It’s easy for a healthcare practitioner to set their device down and lose it (more so than traditional office workers). Verizon’s Davis and nearly every healthcare IT expert I’ve spoken with on the subject of BYOD points to lost devices as a major security concern for healthcare institutions. Lost device security concerns drive the need for MDM solutions and early interest in emerging mobile security technologies like geo-fencing.

There’s a lot to learn about BYOD security management from the healthcare industry because of the unique challenges they face from maintaining HIPAA compliance and dealing with sensitive information.

Would it bother you if your doctor’s office went BYOD?

Image by freeimages.com user: LeoSynapse

This post was originally posted on The Mobility Hub on April 9, 2014

Will Kelly is a technical writer and analyst based in the Washington, DC area. His writing experience also includes writing technology articles for CNET TechRepublic and other sites. Will’s technology interests include collaboration platforms, enterprise mobility, Bring Your Own Device (BYOD), project management applications, and big data.

Making mobile first in healthcare


Mobility poses risks in healthcare, especially when it comes to compliance. However, companies are embarking on “mobile-first” health IT strategies by focusing on web framework, management support, and mobile security training tailored to the healthcare user community. Kaiser Permanente and the Department of Defense Military Health Services are two examples pioneering mobile health.

Previous Mobility Hub blogs, such as Healthcare Needs Pervasive Mobile Policy and Healthcare BYOD Is Risky Business, point to many of the risks that mobility poses in healthcare, especially in the age of HIPAA. However, there are signs that a mobile-first health IT strategy is possible.

Large commercial and military healthcare providers are making strides in mobility. Kaiser Permanente has also been making headlines with its mobile-first approach to customer apps. The company extended its original and very robust web presence to mobile apps:
Both of these apps secure patient information using existing Kaiser Permanente membership information and enable appointment making, refilling prescriptions, and emailing Kaiser Permanente doctors.

Kaiser Permanente launched its latest mobile initiative earlier this year, and made a point to wrap its web and mobile security together. That could be reassuring for some skeptical customers. Details were covered in a press release:

Users’ personal health information is safe and secure while using the new app and the mobile-friendly kp.org, which employ the same security safeguards that protect patient information on the traditional kp.org website, including secure sign-on and automatic sign-out after a period of inactivity.

Part of Kaiser’s extension of web to mobile is an in-depth privacy statement that covers customer information and privacy both on the web and through its mobile apps.
Kaiser’s approach is a step above my own homegrown efforts to use my personal iPad and email to manage doctor appointments and communications. Recent write-ups show the number of Kaiser customers interacting with the company to be on the rise.

DOD requires innovation and balance
When I look for prime examples of mobile-first health IT strategies, I look to the United States Department of Defense, rather than a major urban hospital. A recent FederalNewsRadio.com guest editorial by Mark Goodge, the CTO of the Military Health Service, paints a picture of the challenges its mobile strategy faces trying to serve beneficiaries both on active duty and retired from service.

The DOD is regularly rolling out apps to help treat a variety of physical and mental ailments with the apps becoming a valuable extension of traditional medical care.

Healthcare organizations are in the business of healthcare — not IT, much less mobile devices. While the end-user community can be awfully smart, they aren’t tech people. This means that mobile security education needs to be ongoing and focused on the audience, which may have specific needs.

In the end, a mobile-first health IT strategy needs to have a customized mobile security education program as its foundation. Healthcare workers need to learn mobile security as it applies to their world, not from a stock mobile security class.

Mobile-first healthcare strategies face cultural, compliance, and industry challenges. It is a necessity to accommodate patients and a diverse healthcare workforce, however, so IT must take a holistic approach to mitigate the risks while improving doctor/patient communications and overall patient care.

Image by freeimages.com user: kikashi

This post was originally published on The Mobility Hub on January 25, 2013

Will Kelly is a technical writer and analyst based in the Washington, DC area. His writing experience also includes writing technology articles for CNET TechRepublic and other sites. Will’s technology interests include collaboration platforms, enterprise mobility, Bring Your Own Device (BYOD), project management applications, and big data.