Everything Health Care IT Needs to Know About Deploying iPads

We recently outlined the ways that the iPad is transforming health care for both providers (doctors, nurses, and other health care professionals) and patients. There's no doubt that the iPad (as well as other tablets coming to market in the next several months) is improving the way health care is provided, records are managed, how patients can learn about illnesses and injuries, and when, where and how doctors can easily respond to changes in a patient's condition.

With all these advantages, however, comes some challenges. There is a need for the IT professionals that manage hospital and medical practice networks to ensure that the iPad functions appropriately, securely, and provides consistent access to needed resources. So, today we will offer insight into how the iPad impacts the mobile management duties of health care IT.

General device and mobile data security

Mobile security has been a concern when it comes to the iPad and iOS in almost any professional field, but health care has a more stringent need for security measures than most professions due to the sensitivity of patient information involved and the related privacy regulations for handling that information (most notably HIPPA). This mandates one of two approaches: either the health care data on an iPad must be completely secure or no sensitive data can be stored on the device at all.

Overall, the best approach is keeping data off the device entirely. This isn't a new concept for health care IT. Most desktop and notebook computers used in hospitals and medical practices rely on a server-based solution to store sensitive information.

One approach is to have data stored on a secure server or in the "cloud" and accessed via either specialized client applications for that server or a web-based interface. In either case, a secure connection is used and no data resides on the computer. The same approach can work with the iPad -- web-based applications require no additional configuration beyond ensuring needed security certificates are installed. For client application access, many electronic health records systems have begun offering secure iOS clients.

Another, perhaps even more common, approach is to use a secure virtual desktop solution. Some of the big names in this space are Citrix, Systancia, Ericom, Sun Global Desktop, Quest, VMWare, and Windows Terminal Services. They offer secure access solutions to both computers and iOS devices, through a first-party app or a third-party solution, which is often free or low-cost, though Citrix remains the leader in the health care field. No data is ever stored on the device.

A virtual Windows desktop with all needed apps is available to the user but only screen and keyboard/mouse data is transmitted. In some cases, solutions such as Citrix's XenApp allow administrators to create customized access to specific applications or dashboard views of data without the need to employ a full Windows desktop.

Secure access to wireless networks

As with any mobile device, secure Wi-Fi access to a hospital or medical office network is required. Ideally, this connection should be the most secure possible and should employ industry standard techniques including WPA2, network-specific security certificates, and RADIUS authentication to ensure only provisioned users can use an iPad or other device to connect.

The iPad supports all of these security technologies out of the box and the device can be provisioned using Apple's iPhone Configuration Utility for the current 3.x iOS release available to the iPad.

November's iOS 4.2 release for iPad will allow provisioning and configuration (as well as monitoring plus configuration and software updates) to be performed over the air using solutions from several mobile management vendors.

In situations where the ideal level of wireless security cannot be met (possibly in the case of provider-owned devices or devices that move between multiple practices and/or hospitals), ensuring a secure connection to resources may suffice.

Remote access to hospital and practice resources

One of the advantages of the iPad for physicians and other providers is its ability to enable access to needed records and other systems wherever the user happens to be. In the case of the iPad 3G models, this can happen over a mobile carrier's network. For iPads, it can also occur over a home or public Wi-Fi network or by using an intermediate device (such as a MiFi card or Android phone acting as a Wi-Fi hotspot) to connect through a carrier's network.

This poses many of the same concerns as any remote access by mobile device in any industry. These concerns can be answered in one of two ways depending on the resources and systems that need to be accessed. For cloud and vendor-provided solutions (available to both client/server and virtual desktop approaches), a secure connection may be able to be established with electronic records systems and other tools. When a vendor is hosting those solutions external to a medical practice, secure connections via the Internet are likely used even for computers and devices within the office.

For solutions that are hosted in-house and for systems that may extend beyond records management (internal communications, contacts and site-specific guides, billing, and other administrative tasks), a VPN solution is likely to be the best option. The iPad supports major VPN protocols including Cisco IPSec, L2TP/IPSec, and PPTP.

Integration with electronic health records, prescribing, and other tools

I've already touched on the connectivity methods generally used for medical practice and hospital electronic solutions. For virtual desktop based solutions, a native iOS app is likely already available (such as Citrix's Receiver). Additionally, many medical suites, which typically contain a range of tools associated with practice and hospital management beyond just record keeping and electronic prescriptions, have announced iOS apps that can be used with both the iPad and the iPhone.

The first of these solutions to be announced was the MacPractice suite, (which primarily focuses on offices that are predominantly Mac based). Other suites have also announced iOS apps and compatibility including Dr. Chrono, Epocrates, and several others.

Medical imaging capabilities

Apple has already highlighted the use of the iPad as a medical imaging viewer. When I spoke with radiologists this summer, they agreed that the iPad was a great tool for remotely accessing medical images, sharing them with patients, and for presenting images to other physicians at conferences or for consultation. They doubted it would replace traditional medical imaging workstations any time soon, but still considered image viewing a useful application of the iPad in health care.

To date, several medical image viewing apps have been developed for the iPad and allow access to a range of different imaging formats. As with any other application, there are potential issues of deploying and managing third-party iOS apps on devices (see below). The selection of currently available apps includes: OsiriX, EyeRoute, modalityBODY, and iClarity.

Third-party tools and reference sources

Many providers have come to rely on the iPad as a medical reference resource. This can include the many medical reference, drug, and treatment guides in the App store for doctors, nurses, EMTs, and other health care professionals. There are also reference apps that can illustrate conditions, injuries, and treatments to patients, as well as general and healthcare-specific resource sites on the Internet.

Generally, this isn't an area that IT needs to be concerned with. There is no way to automate pre-loading of third-party apps onto the iPad (in either iOS 3.x or the upcoming 4.2 update). However, you can use third-party management tools and/or the iPhone Configuration Utility to create a "recommended apps catalog" on devices and you can preload web browser bookmarks (including populating them as icons on the homescreen known as web-clips). Neither of these approaches are strictly necessary, but they can aid users and help earn some goodwill towards IT in the process.

Tip: If you have a medical group, practice, or hospital intranet with helpful information and resource content, pre-populating that site as a web-clip can be very helpful to users.

In-house tools

Apple supports organizations creating their own custom iOS apps through the iOS Enterprise Developer Program (annual fee of $299/year). Membership in the program includes organization-specific credentials that can be provisioned onto any iOS device to allow loading of in-house apps manually with the iPhone Configuration Utility, through iTunes sync, or over the air using third-party management consoles (coming to the iPad in next month's update). Whether or not development of a custom app is appropriate to your organization and the needs of your providers is an open question, but the options are available if you feel there is such a need or desire.

Ongoing management and updates

Right now, there are limited options when it comes to ongoing management of the iPad and ensuring software updates are applied to it. It is possible to provide users with updated configurations and security credentials (created in the iPhone Configuration Utility). These can be stored in a format known as configuration and provisioning profiles that can be emailed to users or hosted on a secure web server. However, there is no way to ensure that users are installing these updates on their devices.

As I've mentioned several times in this article, Apple will be releasing a major update for iOS on the iPad in the coming weeks. This update will allow configurations to be pushed out using a third-party management solution and to be immediately applied and enforced.

Those management solutions also allow monitoring of devices and can provide up-to-the-minute reports on things such as installed apps and their versions as well as the iOS version running on the device. This doesn't immediately force the update of either an app or the device's OS, but it can be used to trigger alerts to both IT and the user when a device doesn't meet a criteria for updates. Management tools can also be configured to block a user or device's access to certain features and services until appropriate steps (such as updating the device) are taken.

Personally-owned device concerns

This final challenge impacts almost all industries (I'll be taking a detailed look at the issues in an upcoming article here at EnterpriseMobileToday). Managing and securing devices that are purchased and owned by an organization allows the IT staff to properly provision, configure, deploy, and manage those devices. This approach matches how IT generally deals with computers, printers, and related technologies.

Unfortunately, it has become commonplace for workers to bring their own devices (smartphones, netbooks/notebooks, and now tablets) into the office. This has been particularly common in health care with the iPad, as providers have discovered the potential of their personally owned devices (particularly for physicians who work in private practice and who are affiliated with multiple hospitals).

There is no easy to answer to how to handle this. Many mobile management vendors provide options for enrolling a user's personal device that allows them to pre-populate in-house apps, email and collaborative tool accounts, and certain security options. However, it is difficult to establish a line of restrictions that will apply to the user's device when out of the office. For health care workers that must connect to systems of varying organizations, this can be even more difficult because the provided configurations and security settings will vary from one facility to another -- for the most part, enrolling an iOS device for management in one location prevents management in others.

Since outlawing personally-owned iPads is likely a fool's quest in health care and extensive management of the devices may not be an option, the best approach may be user education. One option is to dedicate a staff member to work with physicians and other providers to introduce them to the needs of a given network and offer to help them manually configure their devices.

This has the advantage of dialing up security as much as is feasible but it also affords the chance to explain the needs of security settings. It also provides an opportunity to acquaint users with the full range of capabilities of their iPads at a given site. From personal experience in other industries, I've seen such an educational rollout of technology greatly enhance the reputation of IT as well as reduce support calls because many common questions and potential issues can be tackled during the training/deployment meeting.

Another option is to restrict access as much as possible when it comes to iPads on your network. The same can be said of any Wi-Fi-enabled devices. Working with RADIUS authentication can be one way of determining specific devices based on user accounts, but reviewing access point and network logs for different device types and their MAC addresses is also an option. While this can enhance security, it will likely decrease the effectiveness of iPads (and probably effect the relationship between iPad users and IT).

Overall, the iPad presents a lot of unique advantages to doctors, nurses, and other health care professionals. It also forces IT to determine a comprehensive and equitable policy for supporting iPad users. As is being seen with the proliferation of different types of smartphones, these issues are likely to grow in the coming months and years as other tablets come to market. But for now, the concern is the iPad and taking a proactive stance of supporting it may actually make limiting the number of platforms in the future an easier goal to achieve.


iPad, Apple, mobile security, mobile management, health care IT