Mobile device management (MDM) strategies for healthcare organizations

Photo by rawpixel.com from Pexels

The value of customer data is a top priority for any enterprise. Patient health information (PHI) carries higher security stakes, requiring mobile device management (MDM) and accompanying strategies to secure this high-value information and ensure patient privacy.

Mobile strategies for HIPAA compliance

When users access PHI using an unsecured device, they are violating the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, according to HIT Infrastructure. Such violations bring costly fines and lots of bad press.

Further complicating the issue, doctors and other professionals accessing the data may not even be employees of the hospital where they are providing patient care. IT must prepare for this BYOD scenario. Creating BYOD policies for healthcare organizations requires:

  • Defining cases for acceptable use
  • Detailing privacy and data ownership expectations
  • Approving devices and device provisioning
  • Crafting security policies for BYOD devices
  • Evaluating risks and liabilities

It’s possible to bring mobile devices into HIPAA compliance by developing an MDM or enterprise mobility management (EMM) strategy and implementing the appropriate security policies to secure PHI and institution-owned or BYOD devices. Achieving such compliance may require bringing in a third-party professional services firm that specializes in mobility compliance. You should also be working with your outside auditor at every step of your mobile device rollout.

HIPAA compliance also extends to texting, group chat and instant messaging within a healthcare enterprise. There’s a growing list of HIPAA-compliant messaging solutions that target healthcare enterprises. Client apps for these solutions are often available for:

  • Corporate-owned devices
  • Employee-owned devices
  • Corporate-owned PCs
  • Personal PCs

Physical working environment

The healthcare industry workforce is on their feet for eight to 12-hour shifts, with much of that time spent responding to immediate patient needs and emergencies. These working conditions make it easy to leave a mobile device on a counter or a table; the open nature of a hospital makes it easy for somebody to walk off with the device inconspicuously, never to be found.

Having MDM with geofencing, which uses a mobile device’s GPS to create a boundary that triggers a response when a user crosses it, can also protect PHI from leaving the healthcare facility. For example, you can set a policy that blocks access to hospital applications that contain PHI from all corporate and BYOD devices running an MDM client app as soon as the user leaves your facility with the device. When they return for their next shift, the geofencing solution restores their application access.

Wearables and connected devices

Wearables are becoming increasingly popular with consumers, and the healthcare field is finding ways to use wearables for patient monitoring outside the traditional healthcare setting. Healthcare providers may issue patients a wearable for use in monitoring a health issue. There are also patients who already own a wearable device that captures data that might help their doctor to further monitor their health condition.

Healthcare enterprises face many of the same challenges as a commercial enterprise when securing wearables, but they have the added need of strict HIPAA compliance. The amount of PHI data these wearables generate also prompts the need for strong data governance and an MDM strategy. Your data management policy will need to account for:

  • Patient data ownership
  • Privacy policy compliance
  • Cybersecurity protections over the data in transit and at rest

These challenges extend to medical devices such as insulin pumps, defibrillators, CPAP machines, cardiac monitoring devices and oxygen tanks equipped with IoT sensors for remote monitoring. These medical devices provide real-time information to caregivers and clinicians while enabling the patient to receive care at home. Sensors Online explains these devices face the following challenges:

  • Design: The design process for a remotely monitored device is different from those designed for in-hospital use and different from common IoT devices, such as telematics or security devices.
  • Certification: The often-underestimated wireless device certification process, which is separate from the FDA’s testing for all new wireless devices.
  • Collaboration: Connectivity challenges are posed from manufacturers all the way down to the people who manage these devices.

The OWASP Secure Medical Device Deployment Standard provides a guide and checklist for deploying these network-enabled devices. You can expect to see MDM vendors evolve their IoT security portfolios to secure these devices. Blockchain, the secure digital ledger, shows promise in helping secure medical devices, according to Network World, but it is an emerging security technology that is still suffering performance hurdles.

Mobile device management in healthcare organizations

The prognosis for implementing mobile device management in a healthcare enterprise is healthy if the healthcare institution’s IT staff works closely with their user community and outside auditors to implement HIPAA-compliant mobile solutions that empower clinicians and other healthcare professionals to serve their patients better.


This post originally appeared on Mobile Business Insights on January 11, 2018. The site is no longer in publication.


My name is Will Kelly. I’m a technical writer and content strategist based in the Washington, DC area. I’ve written for corporations and technology publications about such topics as cloud computing, DevOps, and enterprise mobility. Follow me on Twitter: @willkelly

Surviving the impending MDM market consolidation


Citrix acquired Zenprise. IBM acquired Fiberlink. Then VMware acquired AirWatch. Microsoft turned around and launched the Microsoft Enterprise Mobility Suite. These four market events may indeed shape the future of the Mobile Device Management (MDM) market by sparking even further MDM market consolidation.

Jason Frye, senior director, Office of the CTO at BMC Software says:

This market has an interesting interplay of device and OS manufacturers, enterprise infrastructure vendors and companies attempting to position themselves as “mobile platforms.” On one side you have Microsoft and IBM attacking the market with a set of very compelling technologies. What’s even more interesting is the EMS platform from Microsoft that both commoditizes (Windows Intune) and provides a very capable enterprise platform via [the] EMS platform (especially with the identity management component).

The EMS solution will quickly drive out of the market any standalone or weakly associated MDM-only solutions. The device and OS manufacturers compound the pressure at the lower end of the market with exceedingly capable built-in MDM features.

We then look to the non-affiliated mobile platform companies like Good and Mobile Iron. Some may consider VMware and Citrix here, but I would argue that their focus is elsewhere.

These organizations face a strong challenge of being disconnected from the “hub” of IT. And while companies in this space provide some very compelling capabilities, I find it difficult to believe that major enterprise organizations will continue to be satisfied with having to integrate mobile platform providers into their existing IT service management and operations infrastructure.

Frye also points to BlackBerry as a potential MDM acquisition because of their core technology:

When you look at this space from the view of the CIO, you will find that they prefer not to have to purchase solutions like MDM as a standalone offering or even as part of a mobile enterprise management solution. They expect support for mobility management simply [to] be a feature of their larger service management solution and, to this point, we should expect the market to move quickly in this direction.

When asked about the next likely company looking to make a purchase in the MDM space, Jon Schoen, vice president of business development at Seismic, tells me in an email interview, “The easy answer to this would be to just say Apperian, given their customer base and relatively broad product offering. I think, however, that the next likely acquisition will be by a carrier looking to offer as close as possible to a virtualized environment to enterprise customers.”

We’ve seen the virtualization players acquire MDM capabilities (VMWare, Citrix, SAP, IBM) so that seems to be the trend for a convergence of MDM and a virtualized world,” he adds. “That said, I think OpenPeak could be a likely first target by a carrier partner like AT&T sometime very soon. Also, OpenPeak just added a former AT&T exec responsible for OpenPeak deployment to AT&T customers to its leadership team in a newly-created role of president.”

MDM market consolidation is only going to continue. In Part 2 tomorrow, I have some tips on how enterprises can survive MDM market consolidation.

Surviving the Impending MDM Market Consolidation, Part 2

As I showed in part 1, the mobile device management (MDM) market is still rich in acquisition targets. Enterprises relying on MDM should be attentive to this market. If their MDM provider gets acquired, it could affect their bring your own device (BYOD) and enterprise mobility strategies. At the least, it can affect the vendor/customer relationship.

Here are some survival tips for the impending MDM market consolidation.

1. Keep an open line of communication with your MDM vendor Keeping an open line of communication is perhaps the most important tip for surviving MDM market consolidation. Jeff Mitchell, vice president of sales at AirWatch, told me in an email that communication and consistency have been key to the AirWatch sales team throughout its acquisition by VMware. “We sent out several communications and held one-on-ones with customers, engaged closely with VMware reps and hosted joint briefings with the goal of sharing our joint vision and why our partnership is great for our customers.”

A Fiberlink spokesperson told me that clear and consistent communications with customers were essential in setting customer expectations during the startup’s purchase by IBM. The sales and support teams received relevant information to provide regular updates and answer customer questions.

If your MDM vendor isn’t communicative during an acquisition, press the vendor yourself.

2. Know the support transition plan It’s natural to expect that, once a large player acquires an MDM startup, the technical support team joins a larger support organization. Fiberlink said that preserving its reputation as a responsive and trusted EMM partner was a key goal during its transition. The startup wanted customers to have the same access to sales and support as they did before the acquisition.

3. Read the fine print Review your contract with your MDM provider, so you know your options in the event the vendor is acquired, especially when it comes to refunds, pricing guarantees, or other protections and incentives you might have available as a customer.

4. Know your MDM API requirements If you are using an application programming interface (API) to integrate your MDM with other applications, know your integration requirements in case you switch MDM solutions. Likewise, if your vendor is acquired, you need to ask how its API will fare in the new product roadmap.

5. Balance the innovation of a startup solution with an exit strategy Some of the more exciting product demos I’ve seen in the past year have been from MDM startups. My advice is not to shy away from a startup MDM vendor, but have an exit strategy if it goes out of business or if the terms of doing business with it after an acquisition no longer suit your needs.

This post was originally published in two parts on The Mobility Hub on May 27 & 28, 2014.

Image by adamr via FreeDigitalPhotos.net

Will Kelly is a technical writer and analyst based in the Washington, DC area. His writing experience also includes writing technology articles for CNET TechRepublic and other sites. Will’s technology interests include collaboration platforms, enterprise mobility, Bring Your Own Device (BYOD), project management applications, and big data. Follow him on Twitter: @willkelly.