Bring Your Own Device in Health?
Posted 13th December 2020
Of course, you would assume that Careful supports Bring Your Own Device for health workers and you would be right. But, we built a web platform first (that is phone friendly). Now, as we embark on app development there are different challenges.
There appear to be mixed messages from the NHS on BYOD. From encouraging staff to use Hospify instead of WhatsApp, to setting out guidelines when there is no reasonable alternative.
These guidelines include:
- Use a Data Protection Impact Assessment to identify privacy risks
- Be clear on policy and strong passwords
- Do not store patient identifying data (PID) on the phone
- How to respond to Data Protection and Freedom of Information requests
- Audit and monitor compliance
- What to do if a phone is lost
At Careful, we can provide you with a Data Protection Assessment document for consideration. We only accept strong passwords of at least 10 characters. We do not store PID on the phone. Even photos and videos are deleted once successfully uploaded to the Careful servers. If there is an error, the photo is no longer available as is not stored in your photo gallery. All transactions are logged for audit. No-one can do something and subsequently deny knowledge. This log is available to any user and is perpetual.
Data is encrypted in transmission and at rest within an English Azure host that meets the various legal requirements for security and GDPR. Careful is a Data Processor, the health institution is the Data Controller. We do not alter the data in any way. What comes in is what goes out.
We are working on a token for the app that does not expire whilst in regular use, but we will also enforce a new login when desired. The token can be deleted if a phone is reported lost and we will build this capability into the Team Leader and Organisational Admin interface.
Pros of a web interface
It is centrally distributed. Any bugs or faults can be resolved and distributed immediately to all users. It is based on standards that should, in theory, run on any browser. The codebase and data is one place where it can be managed and supported. If offered on a shared desktop or tablet, the user does not need to provide their own device. It can be locked down and secured within an intranet e.g the HSCN, without being unduly exposed to potential attack.
Downsides of a web interface
There is a preponderance of central desktop use in the NHS and many other institutions, where the computer is shared. This adds a challenge to security. Many browsers do not support HTML autocomplete=”off”, which should disable username password saving. So, in a shared environment one user could log in as another user, who saved their username and password previously. Careful does, however, timeout a login if not being used. With older operating systems and browsers, there can be problems. The NHS has a history of very, very slow updating to newer versions. The Careful web interface is based on the REACT framework and there are issues with very old infrastructure such as Windows 7 and Internet Explorer.
Also, if a user is outside of an intranet, they will have to jump through a few hoops to connect (it at all possible), which will deter relevant updates.
Pros of a smartphone app
A phone is personal. You carry it with you most of the time and it is yours. If properly secured, any data on it is of little use to anyone else who may pick it up. It is particularly useful for:
- Notifications – you receive real-time notifications of any changes of interest, without being in the app at the time.
- Photos and videos – uploading a photo or video when closing an action, making a note or a referral is a very useful feature.
- Messaging – whilst we are not yet supporting person-to-person messaging, it is on our roadmap and we will probably use an off-the-shelf service that meets our security requirements.
A smartphone is fairly ubiquitous. An institution does not need to purchase extra hardware and software to deploy. The least it needs to do is provide WiFi and an internet connection with the correct credentials to allow a member of staff to connect. The hardware does not require maintenance or significant support. It does not require the capital spend of regular refreshes. When a staff member is offsite or at home, they will be connected on 4G or another WiFi, so the institution does not need to provided telecommunications. In the event that staff are using 4G more than corporate WiFi, they may be reimbursed.
Downsides of a smartphone app
Probably the biggest downside is that an app needs to be regularly updated for multiple platform versions and distributed. By its very nature, general app distribution may often mean that it is accessible and open to potential attack. To avoid this, some kind of Mobile Device Management (MDM) is in order. This allows the central management and distribution of apps within the control of a central body. This obviously increases central involvement, policy and support which can play against the agility of a freely available app. At Careful, we employ a trust model that allows members to invite in other people with their phone number. This is not unlike the WhatsApp model.
An app takes longer to develop, more support and regular updates to stay current. Careful does this all for you and we will continue to investigate smartphone technology in this field.
Either way, as a web site or an app Careful is simple, easily deployed and secure. If you want to know more, please do not hesitate to contact us.
Simon started his working life as a hospital porter in Reading. He qualified in radiography at The Middlesex Hospital, London before moving into technology at Kingston Polytechnic. He was a senior systems engineer at St. Thomas’ Hospital, London and went on to hold senior consulting positions at Apple and Microsoft.