The Department of Veterans Affairs expects on Oct. 1 to let clinicians in its hospitals and other employees use mobile devices – likely Apple’s iPhone among others – once they are verified as secure and that any personal information stored on them is encrypted.
VA did not disclose which devices would get the go-ahead but will focus on a “particular set of very popular devices,” said Roger Baker, VA CIO. The sole VA-approved mobile device currently is the BlackBerry smartphone, which VA acquired for its employees.
“We will be highly confident that anything that is storing information on the device has encryption, and in all of the cases we’ll be satisfied that the authenticated user is able to view information but not download it on to the device,” he said in a monthly briefing June 30.
The predominant approach will be to allow the newly approved devices to view information through an application from inside the VA as well as from external sources. An authenticated user with one of those devices would be able to access, for example, information from VA’s VistA clinical information system but not store it on the device, similar to a thin client.
VA has already tested the concept. VA conducted an innovation pilot based on one of its innovation awards for a Computerized Patient Record System (CPRS) type client, a clinician application to reside on the device and to store information. CPRS is part of VistA.
“You can expect that information will be strongly encrypted inside of that application, as you can for email that would be on the device,” Baker said.
When the device connects to the department’s network, VA will review the software on it and verify that there is nothing believed to be a threat before allowing connectivity. Also, VA will be able to wipe the device clean of data if it is lost or stolen.
During the past two years, VA has strengthened the visibility of what is occurring on its network and increased device monitoring to ensure that VA policies are being followed throughout the department and that unauthorized devices are not allowed to connect to the VA network.
Over time, VA wants to be able to say, “Bring your own viewer, and we will have a list of what those will be, and it is likely to be a moderately long list,” he said. While BlackBerries are ubiquitous across the federal government, many federal employees want to use other smartphones, such as iPhones.
Baker is still weighing how the devices will make it into the hands of the users. “Part of me is leaning the direction to say I’m not buying them but as a user if you want to bring yours in, sign a piece of paper that we can monitor the software on it and what you’re using on it, then we might give you access from your personal device on to the system,” he said.
Or, it’s possible to have a large acquisition if VA facilities decide to issue their clinicians these types of devices and would allow them access, but that is more problematic. “By the time we were able to get a contract awarded, it would be time for the next generation of the device,” Baker said.
