refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications

The Gartner Group estimates that by 2017 - 2018:

         at least 50% of professional level employees in the United

States will be bringing their own devices to work

         70% of mobile professionals will conduct their work on personal smart devices.

Small & Medium Enterprises (SMEs) in the Health Care Industry

United States:

         Physician’s practice: annual revenues must not exceed $10 m

         Dentists and other practitioners: the upper limit is $7.0 m

         Hospitals: annual revenues must not exceed $35.5 m

There are just over 200,000 physician practices in the United States

         just under a third are solo or two-person practices

         37% are group practices with two to five physicians

SME medical practices are vital to the United States economy.

         for every dollar Americans spend on physician services, an additional $1.62 in other business is generated.

         Aon average, each  doctor generated an average of $2.2 million in economic output in 2012

         In total, doctors' offices in the US generate 9.97 million jobs, in their offices and at vendors with total wages and benefits average of $1.1 million per physician.

BYOD starts with the patient

  By 2015, 500m people globally will be using mobile devices with healthcare apps installed

  By 2018, half of the 3.4b global mobile users will have downloaded one medical/health related app

  Number of people who have downloaded health apps doubled in a year

  At least 50,000 mobilee apps related to health care

BYOD in the medical practice

  91% of US healthcare professionals own a mobile phone and 87% of them use it regularly during their clinical work

  In Canada, 67% of physicians in private practice have used smart phones for clinical decision support and 82% have used them for drug references.

Security and Privacy Issues

  Federal law requires that a healthcare institution deploy a single network to handle the bandwidth created by all these mobile devices, as well as a way of securing all the information passing through this wireless LAN.

  Violations of HIPAA (privacy of patient data) carry a fine of $50,000 per record

  Between 2005 and 2008, 39.5 million patient records were breached in the United States; and since 2010, 18 million Americans have been impacted by a breach

  Medical information is valuable –hackers earn $50.00 for a medical identification number compared with just a dollar for a Social Security number.

Planning Considerations:


  Half of the respondents to a HIMSS survey indicated they plan to increase their IT staff, but 21 percent are concerned that they won’t be able to secure the IT staff needed to successfully achieve their IT objectives.

  Network Monitoring. To support BYOD, the network needs to be monitored and a time-stamped log must be kept of the devices and the applications and the data each device accesses. Most transactions that occur via smartphone will be time-stamped.

Planning Considerations

  Limit File Opening Options. When possible prevent applications from storing opened filed on the device. Instead applications should be programmed to 'open-in' content. This would aid data protection by limiting data duplications and hence breaches

  Interoperability. With BYOD, it is not known with any certainty what devices and operating systems users will bring. The network, applications, and data must accommodate a variety of hardware and operating systems. 

Planning and Policy Implications (Cont.)

  Privacy. Policies are needed to regulate the viewing of data by external entitites that may connect with BYOD.

  Policies are needed to specify that smartphone used by employees who BYOD meet standards for preventing the spread of germs and infection.


  Desktop virtualization: the device launches a virtual machine on the company server. The user interface is created on the server and displayed on the device. Like traditional desktop terminal and server architecture, all processing occurs on the server side which translates to high bandwidth and low latency. This might lead to congestion especially in the networks of small and medium and medium size businesses.


  Session virtualization: A variation of the previous approach is launching a dedicated session for the device on the server instead of launching an independent virtual machine. Processing is still server side but the way it is executed has less demand for bandwidth than the virtual desktop. Data is not stored locally on the device since the application is executed on the server and only displayed on the device. To ensure data security, the connection needs to be secured and the device sanitized and uncompromised. This solution does not enable data exchange with other applications on the devise e.g. contacts.


  Web Application: Content is displayed in the devices' browser. Https can be used for access over the internet. However, strong access control needs to be applied to ensure data protection.

  Application Virtualization:  An internal server provides an executable application to devices that download the executable file and then runs it in a sandbox.


Native Application: This is a common method in the consumer market. Native applications have the typical look and feel of applications of the specific device's platform. A version of the application would need to be programmed for each supported platform in the platform's specific development environment. The version would then be downloaded and installed locally on the device. This solution would be cost prohibitive for small and medium size businesses given the wide diversity of devices and the pace of changes to the platforms through OS updates and users switching to newer devices.


Virtual Machines: This approach extends application virtualization to virtualization of an entire platform. This means multiple applications can be included in a single virtual machine that is loaded on a device and executed in sandbox in the device. Virtual machines are common in the traditional desktop environment and have been recently applied to mobile device platforms that target enterprise use such as Blackberry 10.  This could be a viable option for small businesses as the same virtual machine can be used for multiple platforms which brings down costs. Since execution of the virtual machine is sandboxed on the device, the company data is protected. In the event of device compromise, remote wipeout could be activated to erase the virtual machine of the device.


  BYOD will be a major presence in the health care field.

Physicians readily adopted other technologies, such as Cat Scans, MRIs, and Electronic billing systems. To be successful, the technology must be useful – and there is no argument that speed, flexibility, and other benefits offered by BYOD are useful.

  In the age of BYOD, small and medium sized medical practices must take an organization-wide approach to risk management approach.


   American Medical Association. (2014). The National Economic Impact of Physicians.

   Ballagas, R., M. Rohs, J. G. Sheridan, and J. Borchers. (2004). “BYOD: Bring Your Own Device.” Proceedings of the Workshop on Ubiquitous Display Environments, Ubicomp.

   Beaulieu-Volk, Debra. (2014, April 22). “AMA: Physician Practices Vital to Economy.” Fierce Practice Management.

   Charland, Andre, Leroux, Brian. (May 2011) "Mobile application development: web vs. native." Communications of the ACM, 54, pp. 49-53.

   Disterer, Georg, and Carsten Kleiner. "BYOD Bring Your Own Device." Procedia Technology 9 (2013): 43-53. Elsevier

   Dolan, Pamela Lewis. (2012, April 5). “Data Breaches of Small Business, Including Doctor Offices, on the Rise.”  American Medical News.

   Group Medical Practice in the United



  Health Information Management Systems Society. (2013) HIMSS Workforce Study:

Trends and Barriers.

  Jahns, Raff-Gordon. “500m people will be using healthcare mobile applications in 2015.” November 2010.

  Koehler, Nicole, Olga Vujovic, and Christine McMenamin. (2013, April). “Healthcare professionals’ use of mobile phones and the internet in clinical practice.” Journal of Mobile Technology in Medicine . Volume 2, Issue 1.

  Shaw, Andy. (2013, April). “Physicians, nurses and patients all make heavy use of mobile devices and apps.” Canadian Healthcare Technology.

  SK&A. (2014). National Physicians Report.


  Small Business Administration. (2014).

  Steiner, Paul. ( April 2014) "Going beyond mobile device management." Computer

Fraud and Security, Volume 2014, Issue 4. Elsevier

  Subar, Steve. (June 2010)  "Mobile virtualization – coming to a smartphone near you." 2014-07-01.

  Tulloch, Mitch. (2011). " VDI vs. Session Virtualization." 2014-0701.

  Verizon. (2014). 2014 Data Breach Investigations Report.