Skip to content Skip to navigation

The Necessity of Creating a Hospital BYOD Policy: Lessons From Penn Medicine

November 11, 2015
by David Raths
| Reprints
Homegrown clinical apps require security, governance efforts

As mobile technology solutions become more valuable to health systems, many providers prefer to use their own smartphones to access and send patient data. This forces IT leaders to develop BYOD (bring your own device) policies. Speaking at the HIMSS Connected Health Conference on Nov. 10, Penn Medicine’s Neha Patel, M.D., explained why it was important for her organization to make the effort to address issues of security, privacy and governance in a BYOD setting.

Dr. Patel, who is director of mobile strategy and applications, and the director of quality in the Section of Hospital Medicine at the Hospital of the University of Pennsylvania in Philadelphia, said that she doesn’t believe health systems can disallow BYOD or mobile apps that share patient data in healthcare. “Personally I don't think that is a feasible way to view this area,” she said. “The easiest way to have this conversation is just to say, ‘we are not going to do that app,’ but we know that can’t be the long-term solution to the conversations we are having.”

Organizations that want to work with mobile application developers on apps that use protected health information have to start thinking about the subset of people who are going to be using their own devices, Patel said. “You have to think about security but also about governance,” she said. At Penn, Patel works with an mHealth governance group, along with the associate CIO for infrastructure.

She described how mobile apps grew up at Penn. “We really wanted to get rid of workaround culture we were seeing. We realized that a lot of the workaround culture was led by fragmented methods of communication and work flow.” Doctors had pagers. Nurses had nothing but landlines. People were writing patient information on paper handoffs. “We realized bad processes led to a workaround culture we wanted to get rid of,” she said. “About three years ago we realized we wanted to go from being in a state that was fragmented to one that was mobile and secured data, and delighted our providers when they were using it. And that delivered data in a way that made it useful.”

She described a few mobile apps, one developed in-house at Penn, another with a vendor platform, another she called “organic.”

“Most healthcare institutions are going to see this at some point,” she said. Somebody builds an app, and it is a simple solution to a problem they are having. Corporate IS then must decide how you scale up this app that all its staff members are using.”

An example of a homegrown app at Penn is called Rolodoc, which was developed in about a week by a few providers. They were frustrated by having to call an operator every day to ask which providers were on call. It took time and sometimes the answers they got weren’t accurate. So instead they got departments to provide them the schedules and built it into an app. They sent out an e-mail to all residents describing their web app and how to download it. Now every trainee uses it. “It is a tool that adds value for our staff, so rather than turn the other way and say it is not something we are ready to scale up, we have to engage with our staff to figure out how to make it an enterprise-wide solution.”

“The good news is that we had great tools people are using,” she said, “but we realized we needed a BYOD policy.” The details of the policy will vary by organization, so the specifics of Penn’s policy are less important than the issues they had to address.

Patel said one consideration is how you balance information protection and privacy. Information protection requirements must remain consistent, regardless of who is financially responsible for the smartphone, she said. With a work-provided phone, you don’t have many expectations of privacy regarding what is on that phone. But if you start using your personal phone at work and corporate IS asks you to download something that protects patient information, you run into privacy issues. At Penn, people who wanted to use their own phones were very protective about their personal texting and pictures. “It came up in every meeting. Hospital employees are very clear that they don’t want anybody looking at personal photos or texts,” she said.

As a solution, they offered “containerization” that separates work apps and private apps on the phone under the mobile device management solution. It allows IS to manage the risk of sensitive data exposure in work-related apps while ignoring personal apps. One of the weaknesses of that approach is that users don’t like switching between the container and their other apps. “However, we found that the clinicians actually preferred this. They liked the idea of going home and thinking my work apps remain my work apps, and my personal phone is my personal phone.”

She said healthcare systems also have to make decisions about whether they will reimburse clinicians for using their personal phone in the work setting.

Patel believes the future of mobile tools in healthcare is bright. “The EHR world is not going to change,” she said. “Data is dispersed and not easily found. There is tons of copying and pasting. Work flows are not efficient or user friendly. We don’t have a lot of analytic decision support build in, and it is difficult to implement changes.”

By way of contrast, she said, apps using Smart on FHIR have the potential to extract data, reorganize it and present it back in a user-friendly way. “We have seen pilots able to do this. Workflow can be facilitated so you can build a smart note where you document all the pertinent things on a patient and not just what needs to be there for billing purposes. And decision support can be based on real-time data.”