The Security Scrutinizer with Howard Anderson

The VA's Evolving Mobile Device Strategy

Tablets, Smart Phones Will Be Used Primarily for Viewing Data

Like many other healthcare organizations, the Department of Veterans Affairs, the nation's largest healthcare provider, is facing pressure from physicians and others to accommodate access to patient information using a variety of new mobile devices, including tablets and smart phones.

Other than laptops, the only mobile devices VA clinicians now can use to access information are Blackberry smart phones. But Roger Baker, the VA's assistant secretary for information and technology, revealed at a recent teleconference with reporters that, effective Oct. 1, the VA also will allow access using "a particular set of very popular devices," which he declined to identify. And in the long run, Baker added, the VA eventually expects to accommodate a "moderately long list" of mobile devices. "What's highly popular today may be a backwater two or three years down the road," he explained.

But What About Security?

To help protect patient information, most clinicians and others using mobile devices will not be able to store data on them, Baker stressed. Instead, the mobile devices will function as the equivalent of thin clients. "The main approach is going to be to allow [the use of] those devices to view information through our applications," he said. An authenticated user would be able to, for example, access the VA's VISTA clinical information system but not store any patient information from that system on the devices.

If, however, the VA, in certain cases, allowed clinical data to be stored on mobile devices, that information would be encrypted, Baker stressed. E-mail will be encrypted as well.

"When a device connects to the network, we will review software on it and verify there's nothing we believe to be a threat before we allow connectivity," Baker added. Plus, if a device is lost, the VA will have the ability to remotely wipe it clean of any data.

Obtaining Mobile Devices

Like many other owners of hospitals and clinics across the country, the VA is pondering how physicians and others should obtain mobile devices. After all, it's easier to control security measures if the employer acquires standard devices. But in many cases, users prefer to select their favorite phone or tablet. So it's a tough balancing act.

"We're still looking at how the devices will make it into the hands of the users," Baker said. "There's part of me that's leaning in the direction ... to say [the VA] is not buying, but if, as a user, you want to bring yours in and sign a piece of paper that says we can monitor the software on it ... then we may give you access from your personal device. ... If facilities decide to issue their clinicians those types of devices, we'd allow them access."

Baker acknowledged, however, that "it's possible we'll have a large-scale acquisition of those kinds of devices." But that approach might prove problematic, he said, because "by the time we were able to get a contract awarded, it may be time for the next generation of the device."

In the weeks ahead, the VA will review and update all of its security policies for mobile devices before announcing in October the expanded list of devices it will accommodate.

So what's your organization's policy about enabling access to clinical information on mobile devices? And what might be learned from the VA's approach? We'd like to hear from you.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.