The iPad revolution is coming to a hospital near you

For years, hospitals have longed to bring computers into the exam rooms, waiting rooms, and treatment rooms to get rid of hard-to-read patient charts, make sure everyone treating a patient was seeing the same information, record everything from vital signs to care delivery, and let doctors, nurses, and hospital techs stay connected to vital information and services as they move throughout the hospital.

In the last decade, most have adopted computers on wheels (known as COWs), basically PCs strapped to a cart, but they need to be plugged into a wall socket and tend to get in the way. Some hospitals tried Windows tablets, but they were both hard to use (poor touchscreen interface) and didn’t last very long on a battery charge. Since 2010, the iPad has been the device hospitals have wanted to bring computing to their highly mobile environments. For a variety of reasons, they’ll soon make the shift.

[ See InfoWorld’s detailed comparison of how iOS and Android stack up for mobile security. | Subscribe to InfoWorld’s Consumerization of IT newsletter today. ]

That is, unless they get scared off by mercenary vendors who cite big fines they might get if they violate rules like the 15-year-old HIPAA (Health Insurance Portability and Accountability Act) that these vendors claim is a certain risk on mobile devices such as the iPad. It’s pure baloney, but I’ve seen such vendor scare tactics in action.

Let me first debunk these myths, then explain how easy it is for hospitals, clinics, and other health care providers to adopt iPads and comply with rules like HIPAA, the federal law that governs the privacy protection of patient data and established standards to ensure such information can be used by all entities treating that patient. Whether you’re a patient or a provider, you should be demanding iPads in your care arsenal.

Recognizing the false risks in mobile health care Just this week, Derek Smith, co-founder of Orchard Parc, a desktop virtualization vendor, took to Twitter with the kinds of outrageous claims that scare off health care pros and spook health care IT staff into buying expensive management and virtualization tools to solve a nonexistent problem.

First, he claimed that hospitals risk “average” costs of $2 million in the event of a privacy breach, and he suggested the risk of a breach was much higher if mobile devices were used. Yes, it can cost that much, but I know many people who work in health care IT management, and they tell me that the costs are usually much lower, involving notification to the affected patients and the administrative costs of reporting the incident and implementing a correction plan (usually training and monitoring). Many HIPAA privacy breaches result in very low to relatively low fines, as long as they are promptly reported and a corrective action plan is issued. To get a meaningful fine means the organization covered up the breach, then got caught or has shown a severe pattern of negligence — that’s when the government really punishes you.

Then he claimed that 40 percent of HIPAA privacy breaches were from mobile devices — not true at all. That stat actually refers to breaches from lost or stolen laptops that weren’t encrypted. When I challenged him on that, he admitted it was laptops, not mobile devices, but then claimed that the “Wall of Shame” database of HIPAA privacy breaches (they are all made public) showed seven “portable device” breaches in its first 50 entries as proof of the mobile risk. I read through every single entry in that database categorized as “portable” and not one was a smartphone or tablet. They were USB drives, backup drives, backup tapes, and laptops (all unencrypted; lost or stolen encrypted devices and media aren’t considered privacy breaches).

I’m sure you’ve heard similar scare stories if you’re in the health care business. Or indeed any business — some vendors play the same trick around the risks of lost PII (personally identifiable information), for which most states have HIPAA-like privacy regulations. If you look into PII breaches, you’ll see again that laptops, USB drives, backup tapes, and data CDs are the vectors of loss. If anything should scare you about the use of client technology in health care, it should be the use of laptops.

What you need to know about HIPAA and technology HIPAA is technology-agnostic, and it doesn’t prescribe specific techniques or technologies an organization must take. It’s about ensuring consistent outcomes, relying on hospitals and their staffs to figure out the best way to do that. Mobile devices are no different in HIPAA’s eyes than computers, mainframe terminals, or paper records. HIPAA has three basic requirements to ensure patient information privacy:

• Patients must give consent for their information to be shared with those who provide their care, and that consent must be documented. We’ve all signed that form at the dentist’s, optometrist’s, and doctor’s offices. (Consent is not required for certain emergencies, such as for the ambulance’s medical tech or the doctor who gives you the Heimlich at a restaurant.)
• Access to the patient information must be limited to those who need it for those medical purposes. That means locking paper files at night and restricting access during the day to health providers. For electronic records, it means requiring a password for access and encrypting the data on any client device, including backup media. Most medical providers that use EHR (electronic health records) systems don’t store the data on PCs, but instead use VPN-secured Web access so the data is never local (what health care folks call “connected access”).
• Changes to the information must be tracked. On paper and electronic systems, that happens when notes are added by a nurse, technician, or doctor. EHR systems also log any access, such as when someone looks up a name or medical condition; in the paper world, this is rarely done, but it will soon be required through an access log in the file that everyone must use each time they open the file. The federal government has mandated the use of EHR systems by most providers (and there are good free cloud-based ones for small offices), so the auditing is increasingly automated through the complex back-end systems where the technological heavy lifting occurs for both vendors and health care IT staff.

The iPad and HIPAA get along great For the last several years, larger hospitals and county medical systems have been feverishly implementing EHR systems mandated by the federal government (those that don’t implement the systems will lose some Medicare reimbursement). It’s been a gargantuan effort on the scale of the Y2K fix in the late 1990s and the adoption of ERP in most businesses in the 2000s.

Those back-end systems are now coming online, so health care IT is beginning to turn its attention to the client devices used by medical staff and even patients (such as what they use to fill out their health histories while in the waiting room).

Current deployments use PCs, but they present some real challenges. In the wards, the COWs need to be near a power source, which also increases the risk of people tripping as the carts move. And they’re more movable than actually mobile. (These aren’t issues for the desktops that doctors use in their offices, admin staff members use at their desks, and nurses use at their stations.)

On the technical side, these EHR front ends tend to use Internet Explorer, relying on Java as the client presentation technology. COWs are typically run in kiosk mode so that they can be used only for EHR access, whereas work PCs run a gamut of apps, including IE for EHR access. That raises issues because many health care apps are sensitive to the version of Java used, as well as the version of IE. That has created a nightmare of compatibility issues as different apps use different versions of Java and IE — a nightmare compounded by Java’s ongoing client security flaws. The solution, of course, is to go browser-neutral and either drop Java or rewrite the apps to be non-version-specific — which costs a lot of money and time.

Here’s where the iPad comes in.

The iPad’s battery life is a good 10 hours, perfect for a hospital environment. It’s extremely portable — and the new iPad Mini even fits in doctors’ lab coat pockets. You can get Wi-Fi-only models for use within hospitals and larger clinics, as well as Wi-Fi/cellular models for use in the field. It doesn’t run Java, though, which means that the client apps will need to be rewritten either in pure HTML5 or as native iOS apps (the ease of creating iOS apps is pushing most providers to that approach). Either way, it forces a decoupling from Java, and those that go the all-HTML5 route force a decoupling from a specific browser. As you can see, iPad client ports could help solve the major issues on the PC client side as well.

iOS encrypts everything automatically; there’s no off switch for that — perfect for HIPAA privacy compliance. Forcing users to have passwords meeting whatever pattern rules you want is easy: You can do it via Exchange ActiveSync, an MDM (mobile device management) tool, or configuration profiles created in Apple’s free Configurator tool (which you can install over USB, email, or website, or push from OS X Server). These two native capabilities cover the two most critical HIPAA privacy requirements for client devices.

Those configuration policies, supported by Apple’s tool and most major MDM tools, also let you restrict Wi-Fi access to specific networks or access points — a lost or stolen iPad is not only encrypted but unable to connect to the hospital systems from outside. You can run an iPad in kiosk mode both through apps and policies, as well as turn off unwanted apps and prevent app installation on devices (common for shared devices). If you allow email on the iPad, you can use policies to restrict how many emails are stored and for how long — a third major HIPAA privacy requirement. If you want to track individual devices, such as for asset management or to initiate a remote wipe if a laptop or mobile device is suspected to be stolen, compaies like Absolute Software offer tools to do so.

Configuring iPads to conform to HIPAA requirements is straightforward — easier than on a PC, in fact. There’s no HIPAA reason for disallowing iPads in health care, but plenty of operational reasons to want them in the medical front lines.

Could you do the same with other tablets?

For Android, yes. Samsung’s and Motorola Mobility’s tablets have the key configuration capabilities as iOS to satisfy HIPAA requirements, though the more control you want to assert on them, the less they’ll meet your needs. You will need an MDM tool to lock down Android — there’s no equivalent tool to Apple’s Configurator, which has the advantage of not requiring you to pay monthly access fees for every device or user, as an MDM tool does. But Samsung’s Galaxy Note 10.1 supports pen computing, a real advantage in a medical environment.

For Windows 7 or 8, yes — you’d do for them what you do to a PC at a desk or on a cart. But you get less than half the battery life of an iPad or Android tablet. Realistically a Windows tablet like the Microsoft Surface Pro may not be a good fit, and Windows RT tablets like the Surface RT lack much of the security capabilities a medical organization would need.

Over the next few years, expect to see iPads as routine equipment in medical offices, ambulances, and hospitals. If you’re in health care IT, now is the time to get started on making it happen.

This article, “Health care, the iPad, and why HIPAA is no barrier,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Smart User blog. For the latest business technology news, follow InfoWorld.com on Twitter.