Addressing Security for iPads, iPhonesCancer Treatment Centers of America's CIO Describes Project
A national network of cancer hospitals that has relied heavily on laptop computers for clinicians accessing electronic health records is phasing in iPads and iPhones, taking steps to mitigate the security risks involved.
As it rolls out Apple mobile devices, Cancer Treatment Centers of America initially is limiting users to view-only access to clinical information, says Chad A. Eckes, CIO. At first, clinicians won't be able to use the devices to place an order or add to a patient's record. That's mainly because the new mobile version of the hospitals' EHR system, from Allscripts, does not yet offer robust data entry functionality, he says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
The chain of cancer hospitals took a thin-client approach to the use of laptops, and later, tablet PCs, giving users access to data and applications stored on a centralized server and generally not allowing storage of information on the devices themselves. This approach, which relies on a Citrix Systems network, helps enhance security, Eckes contends.
Hospitals across the country need to embrace the movement toward mobile devices knowing that security issues can be adequately addressed, he stresses. "The mobile device wave reminds a lot of us of the transition from mainframe green screen terminals to moving over to PCs," he says. "Whether we like it or not, it's coming and we need to embrace that level of change."
In the interview, Eckes also:
- Points out that the hospitals likely will eventually accommodate the use of tablets and smart phones that run the Android system;
- Explains why the organization chose not to accommodate personally-owned mobile devices in the initial phase;
- Describes how the use of encryption will be expanded to new mobile devices.
As chief information officer of Cancer Treatment Centers of America, Eckes leads efforts to provide innovative technology solutions to improve patient care. Before joining the company, Eckes consulted for Ministry Healthcare, implementing the first all-digital hospital in Wisconsin. Earlier, he held senior leadership positions at insurance and consulting companies.HOWARD ANDERSON: For starters, why don't you tell us a little bit about Cancer Treatment Centers of America and the services it offers?
CHAD ECKES: Cancer Treatment Centers of America is a specialty hospital organization. We treat complex and late-stage cancers all under one roof. We combine the absolute best of leading-edge traditional oncology therapies and augment those services with complimentary therapies like mind-body medicine, naturopathic services and the like. Our facilities are in greater Philadelphia, greater Chicago, Tulsa, Oklahoma, and the greater Phoenix market place. We have a clinic in Seattle, and we're in the process of building a new hospital down in the greater Atlanta marketplace.
Embracing Mobile Devices
ANDERSON: I understand that for some time now your hospitals have relied heavily on laptop computers rather than desktop devices, and now you're moving toward enabling clinicians to use a wider variety of mobile devices. Why have you relied so heavily on laptops from the beginning, and why are you expanding the mobile devices that can be used?
ECKES: In our environment, our goal has always been to get our data processing as close to the patient as possible. That meant that we would have highly mobile devices that would be moving with the provider to the patient's side. We started out by using laptops .... [and then we] integrated tablet PCs into our environment, especially when we rolled out the electronic health record back in 2008. That allowed our physicians to work in more of a point-and-click environment for much of what they were doing.
As we look at the future right now, we're realizing that the demands of interacting with patient information are becoming greater. We want more information pushed out to the patient side ... and our physicians want that information to come in a smaller form factor. I think we're all pretty aware of carrying around a heavy PC and in order to get enough battery life, you have these large batteries that are hooked up, and that becomes quite frustrating and inconvenient. We've tried solving that problem in the past with having docking stations and the like, but we really hadn't seen any good solutions until the latest trends of tablets coming onto the market. And when we reference tablets, we're referencing devices like iPads. The form factor is light, the battery life is great, the size is large enough ... to get the information that you require. But most importantly, that device can go wherever the physician and/or nurse would be going. That became an opportunity for us to start figuring out how to give access to our applications in a manner that would be useable on a screen that size.
The second reason why we want to augment the laptop environment in our space going forward is we're seeing demands from our providers to enable them when they're not in the hospital facility. So, imagine the individual physician that gets a call in the middle of the night and needs to respond to a situation about a patient. Typically, in the past, that physician would have to drive into the hospital. In today's world, they'll probably log into their PC, then into the VPN, then into Citrix and our EHR to be able to look at the current state of their patient and maybe some lab results or the like. We see that this is a great opportunity ... where they could log in via one of these mobile devices, whether it be a smart phone or an iPad, have it be through a cellular connection and have immediate access to the relevant results and be able to provide a response to the individual that's calling them. In summary, we're really looking to empower those individuals caring for our patients when they need the data in the most convenient way possible.
ANDERSON: Do you have a feel yet for what type of mobile device your clinicians initially will use most often? Will it be tablets or something else?
ECKES: In our early stages it will probably take more of a crawl-walk-run approach. We would continue being heavily reliant upon our laptop environment and our tablet PC environment, but we would then focus on using the iPad and iPhone as enabling technologies. We've also made the decision that these devices would probably be corporate-owned devices at least for the initial roll-out. In the future, we would like to consider moving to an Android platform as well, but being able to control it on one platform right now is our current course.
Storing Patient Information
ANDERSON: Is any patient information stored on these mobile devices?
ECKES: Let me answer that in two different ways. If you think of a mobile environment in terms of our laptops and tablet computers, the normal policy is to not have patient information on those devices, that they would be interacting with our electronic health record via Citrix and secured in that manner. In the normal course of a day that holds true. There are individual situations where patient information is downloaded. In those scenarios, we protect our environment with encryption software. We still view that as a risk, and we want to get away from any opportunity to store patient information on an individual device and keep the patient information centralized where we know that it's the most secure. In the mobile environment of iPads and iPhones, the goal there is store nothing and provide no ability to download information, but to only provide a view into the data and be able to interact with the data in its centralized location. The only risk that we want to have to manage is the user's native ability to store a username and password in their device, which we would certainly try controlling.
ANDERSON: Since you have a Citrix environment, it sounds like all these mobile devices are serving as an equivalent of a thin client. Under what circumstances can folks use a mobile device to enter information into a record as well as view it?
ECKES: In our initial ways of functionality that we're rolling out, there will be no ability to interact with the enterprise system to enter information. That's a strategic choice for us right now. We're trying to take a crawl-walk-run approach. The EHR vendor that we're working with is Allscripts ... We looked at their mobility functionality and where it's currently at, we believe that it provides a great opportunity to view information, get results, look at problem lists, look at the allergies, even be able to pull up images. But when we get to the point of entering orders or documenting, right now that level of functionality is still very much in the infancy.
We had looked for specific use-case scenarios inside our facilities and external to the facility when our physicians are at home to enable their work flow with the view-only functionality, knowing full well that once they've gotten a taste for the user interface and have been able to use the physical device in its current state, they're going to want more functionality, like the ability to enter orders.
ANDERSON: So for now then, someone creating a record or adding to it would use a laptop only. Is that right?
ECKES: That's correct.
ANDERSON: How will you go about monitoring whether a mobile device is storing any patient information to make sure that policy is enforced, and what other security controls will you have in place? You mentioned encryption before. What are some of the security controls you're applying to these new tablets and other devices?
ECKES: I think it's two-fold right now. We're handling the ability to download information at the application level and ensuring that the applications don't allow for that to occur. On the side of encryption, because we're working on this mobile project, we're also at the same time expanding our encryption strategy to move beyond our laptops and to look at mobile equipment and putting that same level of encryption on those mobile devices.
ANDERSON: You mentioned earlier that at least initially you won't allow the use of personally owned mobile devices for accessing records and other work-related purposes. Could that eventually be allowed, and if so, will you have to make sure that the same security procedures and technologies are used on those personally-owned devices?
ECKES: I wouldn't say that it's out of the realm of possibility. We're highly intrigued by the "bring your own device" trend that's occurring in the marketplace. One of the struggles that we've had internally is how do you provide the same level of support services on a wider array of different devices? That becomes a struggle with us. When we've looked at the marketplace, we've seen that some of the policies basically state, "We don't support you and here's an outside support organization to take your computer to." We know that our user-base would be dissatisfied with a response like that. So until we've come up with a creative solution there, our focus is to limit the devices to something that we know we can provide high quality service and support to. In the future, we'll either expand the number of devices we're providing that level of support to, or take a pulse check of our users and see if they're comfortable not having that level of support.
Advice on Mobility
ANDERSON: Finally, what would you say to other organizations that have concerns about the security of mobile devices as opposed to securing more traditional desktop devices, based on your experience? What advice would you give them?
ECKES: The main advice is this trend is coming whether we like it or not. As we've talked internally, the mobile device wave reminds a lot of us of the transition from mainframe green-screen terminals to moving over to PCs, and there's always a lot of resistance. There's always a lot of concern and people coming up with reasons why we can't support that environment. But whether we like it or not, it's coming and we need to embrace that level of change. That would be the first advice I would give. This is going to hit every organization.
The second piece of advice I would give is that, from a security standpoint, I believe that we need to really be honest with ourselves about the level of security that exists on laptops and those types of devices to begin with. Our PC environments are highly unsecure, and the habits of our users make them a very risky environment. Combine that with the fact that approximately 36 percent of laptop PCs are encrypted. That becomes much more risky, in my mind, compared to the fact that mobile devices are out there and allow remote access into a centralized system. I know there are a lot of chief information security officers who are highly concerned about this, but I think we need to really think about the practical realities of security and not overkill the risk that's associated with mobility.