iPad security: How a hospital group treated trouble
Doctors have fallen in love with the Apple iPad, becoming one of the biggest early adopters among professionals. They want iPads for personal use and to get their work done. It’s the latter that has healthcare IT staff scrambling to secure the devices.
The problem is that the iPad’s consumer-driven origins come into direct conflict with the nature of healthcare—namely, patient confidentiality and reliance on a few critical client-server apps.
Can the iPad succeed in hospitals?
“We had physicians coming to us as soon as the first iPad came into the Apple Store wanting to connect everything,” says John McLendon, senior vice president of Adventist Health System (AHS), a not-for-profit Protestant healthcare provider with 44 hospitals across 12 states. He is also CIO for AHS Information Services, which maintains clinical and business systems for many of the hospitals.
For the past few months, McLendon has been working with tech vendors to make the iPad a viable tool in healthcare. He’s had to implement a virtual desktop Citrix solution while he waits for one of his key patient-care app vendors, Cerner, to improve on its mobile offering.
Meanwhile, security and management of the iPad falls to Sharon Finney, AHS’s corporate data security officer. She has been busily architecting what she calls a “sandbox” network with limited functionality and access that gets around the iPad’s security shortcomings. Her assessment: The iPad can be secure enough for doctors to get much of their work done today, but the platform still has a ways to go.
Form factor: Hospitals familiar with tablets
The iPad took many hospitals by surprise, as well as their oft-conservative IT staff. “The way we do a lot of the more strategic-oriented projects here, we plan them out for a couple of years with road-mapping sessions,” says McLendon. “We didn’t have a plan to embrace the iPad.”
McLendon couldn’t prepare for the iPad as he could with enterprise-class devices. He couldn’t get his hands on a pre-release iPad model in order to test and certify it in his environment. He didn’t even know when the iPad would be released to the general public.
When the iPad finally hit Apple Store shelves, doctors bought them up. Consider the findings of a survey by Good Technology, a mobile device management vendor: The number of iPad activations, from September to December last year, dramatically dipped at healthcare firms. The dip is indicative of a massive early adoption.
“Healthcare moved so quickly to the iPad, there was so much pent-up demand, that there was that initial spike,” says John Herrema, senior vice president of corporate strategy technology at Good Technology, “and then things leveled off.”
One of the reasons for the fast adoption of iPads in healthcare is doctors’ familiarity with tablets. AHS, for instance, has Panasonic Toughbooks in its hospitals. But the difference between these tablets and iPads, at least from a security standpoint, is night and day, says Finney.
iPad’s security shortcomings
AHS has a secured network at its hospitals that allows Toughbooks and other devices to communicate across it and access full-blown apps. AHS owns and centrally manages every device that touches this network. For instance, Finney can lock down these devices, remotely take control of them, install anti-virus software, and knock them off the network in a variety of ways.
“I can take a laptop, workstation or tablet and say you can only access these five applications and that’s all you can do,” Finney says. “I can say you cannot store data locally because that device is not rated and secured for that functionality. I cannot do that on an iPad.”
But doctors still wanted to take their iPads to work. So Finney has been building a mid-tier “sandbox” network with some security around it. The plan calls for the “sandbox” network to be established across all AHS hospitals in the first quarter of this year.
She’ll be able to control who has authority to get on the “sandbox” network. By knowing what devices are on the network, she’ll have an idea of traffic levels and thus can guarantee levels of service from a bandwidth and performance perspective.
“I can also target my security tools at that segment of the network, and monitor and audit it,” Finney says. “If there is an incident, a problem with one of the devices, then I can reasonably identify who that device belongs to.”
AHS began working with Good Technology tools last spring to manage iPads, but Finney still lacks an enterprise management console for the Apple iOS. “Some of those tools are solely based on the functionality provided by the native OS,” she says. “To my knowledge, there are no standards for the base functionality that an Android and an Apple provide that I, as an enterprise security officer, can tap into and secure that device.”
One iPad app stays in the waiting room
For AHS doctors, the most important app that they want to access on their iPads is Cerner. The highly complex Windows app lets doctors view online digital charts with real-time patient information, input data, place orders, among other tasks. Cerner doesn’t have a native iPad app, but the app developer is putting the final touches on a mobile app version, which AHS will evaluate in March.
In the meantime, McLendon is putting a Citrix virtual desktop solution on the iPad.
The problem is that the Cerner app was made to be used with a mouse and has a complicated order system that’s tailored to a large screen. With the Citrix client on the 10-inch iPad screen, tapping data-entry boxes requires tiny fingers or constant two-finger expanding and pinching in order to change the image size of the boxes on the screen.
“The form-factor of the iPad doesn’t match up with the way the application was designed,” McLendon says. “I’d say it’s still cutting-edge to use [Cerner] with Citrix.”
Bottom line: iPad-toting doctors on the “sandbox” network will be able to use Cerner, but the experience won’t be a good one. Nor will they have all the communication rights and access to data and application features like they would on the secured network.
“We’re not there yet,” McLendon says. “We have to have more confidence.”