Not Just Another App: Managing Mobility at UPMC

The thought of health IT leaders managing the mobility trend conjures up images of Heracles attempting to slay the multiheaded Hydra. Every time he cut off one head, two more grew in its place: Think iOS®, Android®, Symbian®, BlackBerry®, Windows®, and bada®, with Mango and other mobile platforms in the wings. Accommodating network users’ mobile devices of choice while protecting personally identifiable information is a challenge, according to Rasu Shrestha, MD, MBA. In addition to his role as medical director of digital imaging informatics across the University of Pittsburgh Medical Center (UPMC) enterprise of 20 hospitals and 30 imaging centers, the board-certified radiologist also is responsible for interoperability and emerging technologies, as enterprise vice president for medical information technologies. “On the mobility side, our strategy toward embracing what’s out there on the mobile platforms is an evolving one,” he acknowledges. “I’d be wrong if I said that it’s solid and complete, and we’re at the finish line. We are very much at the start, but we’ve made some good strides.” As he embarks on the mobility journey at UPMC, Shrestha is taking a stepwise approach to rolling out new applications with zero footprints and thin clients, working closely with vendors, and focusing on leveraging the form factor to improve patient care (while staying one step ahead of enterprise users). Multiple Experiments Underway Shrestha is both optimistic about the potential of mobile devices to improve patient care and cognizant of the potential threat to security. Currently, a limited subset of users can access a zero-client advanced visualization tool on an iPad® or another mobile device. Another set of imaging users can access UPMC’s electronic record systems through the health system’s Citrix® (Fort Lauderdale, Florida) environment. Yet another experiment underway involves the use of a remote-access receiver through Citrix; it addresses some of the security issues inherent in accessing the UPMC network through a non-UPMC network, whether from home or a mobile device. “This receiver also addresses some of the concerns around how to access what you need from any platform, not just a Windows-based platform,” Shrestha notes. “Up to now, most of what has happened in health care has been very much Windows focused. This allows for much wider access through Mac platforms, iOS, Android, and others.” Several other mobile tools are already in use at UPMC: a tool for emergency-department discrepancy communications, preliminary report distribution through various Web-based means, and a contextual paging application (developed within the UPMC Technology Development Center) that taps into the institution’s longitudinal care record. In the radiology environment, if there is a critical finding, such as pneumothorax, an urgent communication can be sent directly to a smartphone. “The user will get not just information about the key finding in the radiology environment, but also a snapshot of the image and relevant clinical contextual information about the patient and his or her disease process,” Shrestha explains. A Life of Its Own Shrestha is well aware that if he does not move quickly enough to accommodate the mobility needs of his system users, they will find their own work-arounds. Demand for mobility in the health-care environment is very much consumer driven. “Part of the reason we see so much penetration, with a device like the iPad, is there was so much pent-up demand,” he notes. “We’ve been talking about a tablet—and the use of a device that has a bigger screen, that’s a little bit smarter, and that’s more connected, so that it is usable on the go—for such a long time that when the iPad finally came out, the pent-up demand suddenly exploded.” Coupled with the familiarity of physicians with the tablet form factor, that pent-up demand resulted in widespread adoption of a device that initially was used to access email because there were few health-care applications. “Residents, fellows, and other physicians were coming in and saying, ‘Hey, I already use my mobile device for all these things outside of health care; why can’t I use it for this?’” Shrestha says. “There is this huge push coming in from outside our imaging world.” What has been a boon for Apple (Cupertino, California), however, has been a major headache for those individuals responsible for security in a health-care enterprise. “The biggest success that we’ve seen, in terms of penetration with our users on the mobile platform, has been iOS, with the iPad and the iPhone®,” Shrestha observes. He adds, “That’s all great because it’s sexy, it’s user friendly, and it looks slick—but clearly, what we have found is that there are some limitations, from a security perspective and from the enterprise-deployment perspective. The Apple operating system was built for public consumers and not targeted to enterprise users—definitely not radiologists and others who require a great deal of image transfer and hands-on interaction, and who are out and about, often between home and hospital or other locations.” As UPMC approaches security development, it is attempting to be as vendor agnostic as possible, so with respect to Apple, that policy will account for the perceived enterprise security issues of iOS. Nonetheless, iOS is just one of many mobile operating systems out there, and Shrestha and his team are vetting and experimenting with all of them. Android is gaining ground among users and has an open-source operating system (as opposed to the proprietary iOS) that allows for more flexibility in managing security challenges, Shrestha believes. His team is also working with the Windows 7 platform and anticipating the soon-to-be released Mango operating system, which Shrestha predicts will give Microsoft (Redmond, Washington) a boost in the mobile device arena. Now owned by Hewlett-Packard (Palo Alto, California), webOS® is also in play here. “Quite honestly, there is a good level of anticipation, and a bunch of us here are fairly excited about Windows 8 and the promise of having an enterprise-ready platform that will, perhaps, be more penetrative in the market and add mobility. At the same time, enterprise security is more of a core mandate,” Shrestha says. Research In Motion, Waterloo, Ontario (maker of BlackBerry devices) and Microsoft have a demonstrated enterprise-security focus, Shrestha says. “Both of these vendors have spent a lot of time sitting down with enterprise users, whether folks in health care or others who deal with the business,” he says. “Our security people love the BlackBerry because it allows much more control. If, for example, a physician loses a BlackBerry while out and about, the security people can hit one button and wipe the device clean of all data. That’s superb. Our security people absolutely love that. You cannot do that with iOS devices.” The big challenge, Shrestha says, is being able to take control of the devices remotely to install any level of antivirus software or lock down specific features. “You don’t have that level of control on iOS,” he laments. “I’m not bashing iOS; I actually love the platform and its user-friendly nature, but there are some real challenges that some of these other platforms, like BlackBerry and Windows, are doing a better job of tackling.” Cloud as Security Blanket While UPMC’s strategy, from the outset, has been more (rather than less) inclusive, it will not include all comers. “You can’t account for everything, especially when you are developing security protocols; worse yet, at UPMC, we are also involved in writing software, and you can’t write for every operating system,” Shrestha says, conjuring up the mythical Hydra. Shrestha’s team is engaged in allowing these major platforms (including iOS, Android, and possibly Windows) to function in the UPMC health-care environment. One of the key hurdles to clear is security. “Security is of paramount importance to any level of deployment around health-care applications, and more so, when it deals with mobility, because you are out and about,” Shrestha emphasizes. “These are all devices you can easily lose, leave on a bus, or leave in your car— the iPad has legs, right? We are trying to circumvent the limitations of some of these operating systems by trying to keep as much of the information as possible in the cloud, so that there is very little actual footprint on the device itself.” Keeping data in UPMC’s cloud facilitates solid audit trails that detail who accesses what, in which location, using what ID—including the actual physical coordinates of the hospital because the system has GPS capabilities. Stringent password requirements for any mobile device with network access also are a part of security strategy. “Our goal is to have zero breaches of information,” Shrestha says. “We don’t want to have any breaches of information, across the board. A lot of our systems have sort of written-in applications on the internal cloud—a protected internal cloud for our electronic health record, here within UPMC—so there is a lot of virtualization, cloud-based computing, and even imaging that happens on cloud-based applications. That gives us more comfort because this is an internal cloud that we control within our security firewalls at UPMC.” Shrestha advises against adopting mobility for mobility’s sake, if the application and its use do not add value to the health-care transaction. There is peril, however, in moving too slowly in embracing mobile devices. “If we don’t move quickly enough, consumer-driven enthusiasm will overtake any chance of putting in any level of control over enterprise deployment,” Shrestha says. “Whether it is something users bought with their education funding, grant, or personal money, they will figure out a way to bring it into the health-care environment.”Cheryl Proval is editor of Radinformatics.com and Radiology Business Journal.