Bring Your Own Device (BYOD) To Work - Should We Go There?

6307034844_2ca91d0051.jpg

The BYOD phenomenon has been slowly but surely gaining momentum since 2008. By Farida Bambot (Health IT & Electronic Health Records Consultant, Self)

Technology-savvy consumers are clamoring for the convenience of the “coolest” mobility devices in the workplace.

Employers, on the other hand, find themselves struggling to keep up with the pace of device innovation or change entrenched deployments. In addition, the logistics and costs associated with procuring the latest tablet or smart phone for the workforce often impact the adoption of new technologies into the workplace.

In the midst of this tension, allowing employees to bring their own devices to work may appear as a solution for both the budget-challenged employer and the frustrated employee. In fact, according to the recent mHIMSS Mobile Technology Survey, from December 2011, 55% of respondents indicated that their organizations support only corporate devices, while 41% reported support of personal devices brought to work, by their organizations.

The high adoption rate for BYOD is impressive, but these numbers also demonstrate that companies remain divided on this subject. Some organizations are using a hybrid BYOD approach, wherein tablets are corporate-owned but smartphones remain personal devices.

A number of examples exist of both large and small organizations (Cisco, Citrix, RehabCare, etc.) that have successfully instituted pilot or company-wide BYOD programs. Employers need to carefully consider multiple aspects before venturing into this space. It is important to acknowledge that adopting a BYOD strategy makes for an even more complex technical environment and infrastructure for IT departments to manage, protect and support. Companies will need to invest in robust mobile device management (MDM) solutions and implement policies for a sustainable BYOD deployment.

Unlike the traditional work environment, where IT staff schedule and execute laptop or desktop upgrades, average refresh rates for mobility devices are between 6-9 months, with employees purchasing the latest device at will or to replace a lost one. This underscores the need for an MDM solution that includes self-service registration, so the new device may authenticate and connect to the corporate network as well as a “selective wipe” of the old device before it shows up on eBay for re-sale!

Likewise, similar policies and processes are critical for contractors or for employee terminations. MDM products typically include security features for HIPAA compliance, such as device password protection, encryption, antivirus protection and over-the-air (OTA) device wipe. The good news is that there are already vendor solutions available from Air-Watch, BoxTone, MobileIron and others to fulfill this need. Gartner’s research published in Q2 2011 provides good, high-level information on MDM vendors as well as key strengths and weaknesses of their respective products.

To ensure a successful BYOD program, employers need to have in place hardware and application support policies and procedures. As an alternative to requiring IT staff and the corporate helpdesk to support a gamut of different devices, employers may opt for employer paid vendor support contracts for personal devices. Others like Citrix have utilized the opposite approach by allocating a stipend towards the purchase of a device, but then requiring the employee to install and maintain antivirus software as well as purchase a three-year vendor support agreement.

In the application space, particularly for organizations with business-critical legacy applications, it is unrealistic to expect IT teams to effectively support new applications on the plethora of different device platforms and OS versions. The logical solution here seems to be desktop virtualization, also referred to as Desktop-as-a-Service.

Virtualization software can turn a handset into what appears to the outside world to be two separate phones, each with its own phone number, its own apps, and apps on the personal side cannot access corporate data and vice versa. Users can switch quickly and easily between the corporate and personal modes. If necessary, the corporate phone number along with all apps and data can be wiped remotely. Products from VMware (Horizon, AppBlast, Octopus), Enterproid’s Divide (AT&T’s Toggle), Citrix, Parallels and others provide this capability.

At the International Consumer Electronics Show last month, LG Electronics showcased their Android smartphone running VMware virtualization whereby two Android VMs running on the device can be used as the business phone and personal phone. The two environments are logically separate such that different Android versions can run concurrently.

Business VM is password protected and encrypted at all times (regardless of the security settings on the personal VM) and is managed by the IT department. Business VM can be easily wiped from an old or lost phone and a backup of the business VM can be used to refresh a new or replacement device. These phones are currently undergoing customer trials and both Verizon and Telefonica are expected to launch them within the next few months.

Enterproid Divide is offered by AT&T as a service called Toggle. Enterproid indicates that it is working on versions of Divide for Windows Phone 7 and even iPhone; however, creation of a full virtual machine requires low-level access to the operating system that is possible with Android but strictly prohibited by Apple for iOS or Microsoft for Windows Phone 7. Hence, it will be interesting to see how Enterproid is able to address these challenges to develop solutions for other platforms.

Corporate drivers for BYOD are primarily financial and worker productivity gains. However, there are no large-scale studies to conclusively prove that BYOD is a cost effective solution. The total cost of ownership (TCO) for BYOD is essentially unknown or anecdotal at best. Additionally, there is heightened concern about data security, especially in highly regulated industries such as finance and healthcare.

Fortunately these fears have not been borne out since there have not been any large-scale mobility-related security breaches reported thus far. In fact, according to the 2011 Gartner study on data security, which looked at severity of attacks vs. frequency, the conclusion was that simple mistakes trump clever malware attacks. Top issues were identified as improperly configured devices and lost or recycled devices left unwiped. What is encouraging is that data security breaches can be minimized or prevented simply by good data hygiene policies and practices.

The BYOD phenomenon has been slowly but surely gaining momentum since 2008 and new technology products and tools continue to be brought to market in support of this trend. The bottom line is, the future of BYOD will depend on data collected over the next 12 to 24 months that will help us better understand the financial, productivity and data security impacts to the enterprise.

This post was originally posted at Healthcare Information and Management Systems Society (HIMSS).

Photo credit: Personeelsnet on Flickr. About the guest blogger: Farida Bambot is a Health IT and Electronic Health Records (EHR) Consultant. She has 15+ years of healthcare IT experience. Her background includes successfully leading EHR implementations at large organizations with 450+ multispecialty physicians. Her comprehensive project management services include EHR Vendor Selection, Implementation Roadmap, Data Migration Plan, Practice/Workflow redesign, Security Risk Assessment and Meaningful Use Gap Analysis. She can be reached at fbambot@gmail.com