The Security Scrutinizer with Howard Anderson

Are Personal Mobile Devices a Threat? The VA Says No, If Adequate Security, Legal Measures Taken

Roger Baker, CIO of the Department of Veterans Affairs, believes that as long as the appropriate security measures are taken - and legal agreements are signed - personal devices should be allowed. That's why the VA is embracing BYOD - Bring Your Own Device.

The VA expects to accommodate the use of as many as 100,000 iPads and iPhones within 18 months, including a mix of government-owned and personal devices, Baker said in an interview.

I would expect to see, in the long run, a phase out of desktop computers and a phase in of mobile devices. 

"We really see a substantial clinical use for the newer mobile devices," he said. "And I would expect to see, in the long run, a phase out of desktop computers and a phase in of mobile devices."

But the VA cannot afford to pay for 100,000 new devices. So it's taking steps to allow the use of personally owned iPads and iPhones starting next year.

All the Apple devices, no matter who owns them, must use strong encryption plus two passwords, one for the device and one for the application. Also, the VA will have the ability to remotely wipe all information from devices if any security concerns arise.

Legal Issue

The security issues involved in allowing personally owned devices are legal, rather than technical, Baker contended.

"We're establishing what it is we need to have the user sign, relative to their personally-owned device, that will ensure, for example, that I have the right to wipe any VA information off of it at my discretion.....and ensure that I have the right to access the device to review it as needed," he said.

Initially, VA staff members will be able to use personally owned Apple mobile devices for limited purposes, such as to view, and not store, clinical records, or to transmit encrypted e-mail. Then the VA will assess whether to accommodate other functions.

Baker sees the use of more mobile devices, including, eventually, those running the Android operating system, as a way for the VA to cut costs as it shifts away from desktop and laptop computers. And it's a safe bet that a lot of other healthcare organizations are anticipating a similar shift toward mobile devices.

Do you think allowing the use of personal mobile devices to access patient information is a potential privacy threat? And what are the best security measures to adopt? We'd like to hear from you.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network