Bring Your Own Device

By John Halamka
09:06 AM

At BIDMC, I oversee 10,600 desktops and 2000 laptops. They are all locked down with System Center Configuration Manager 2007 and McAfee ePolicy Orchestrator.

Given that most of our applications are thin client and web-based, we can stretch the lifetimes of our desktops to 5-6 years and our laptops to 3-4 years. Capital funding puts limits on how much hardware we can buy and how long we keep it.

Like many IT departments, we have to balance many priorities - security, cost, software compatibility, performance and the user experience.

This balance means that the locked down, image managed, economical device provided by the IT department will almost always be older, lower powered, and less capable than the device in your home.

The same is true of mobile devices like Blackberries which are a one time purchase and are only replaced when they stop functioning.

Consumer devices are more than just technology, they've become lifestyle accessories. Are you an iPad2 or a Macbook Air 11 person? Does Android tickle your fancy or are you holding out for the Samsung tablet with Windows 8?

The cost of these devices is low enough that consumers can buy them on their own and may upgrade yearly as new models are released.

All of this has led to the BYOD movement - Bring Your Own Device to work.

One of my passions as a CIO has been to create web-based applications that run anywhere on anything. That approach has enabled our applications to run on every version of the iPad, iPhone and iPod touch as well as Android and Blackberry devices like the Playbook.

However, I'm also accountable for the privacy and security of each byte of person identified data and we have over 1.5 petabytes to protect.

The internet is an increasingly hostile place. Clicking on a picture of Heidi Klum results in a 1 in 10 chance that your device will become infected.

Online apps distributed via social networks are filled will malware.

Hacked websites can bring malware onto our device. A CIO at the recent Information Week 500 conference described that hackers inserted malware, which was only one pixel by one pixel, into a public-facing website his lab supported. All internal users who browsed to the website and did not have the latest version of Adobe Flash were infected. Once infected, their workstations scanned for other vulnerabilities on the network.

Breach reporting regulations in HITECH are strict. If a keystroke logger embedded in malware results in username/password compromise and a hacker downloads files or views data for more than 500 people, the prominent media needs to be notified. It is unlikely that the media will see much difference between an infected personal device and something under the CIO's control - the CIO will be held accountable!

BIDMC has over 1000 iPads and over 1600 iPhones accessing its network for email and web applications.   I absolutely see the value of the Bring Your Own Device movement.

However, the compliance and regulatory requirements that grow more complex every day make the BYOD movement very problematic.

It may be that we'll find some compromise, such as encouraging BYOD, noting that little support will be available, and requiring mobile device security solutions such as Good Technologies before a personal device is allowed on the network.

BYOD can be empowering to users. Let's hope we can mitigate the risk and afford the applications needed to comply with federal and state laws.


John Halamka, MD, blogs regularly at Life as a Healthcare CIO.