BYOD for Healthcare Payers

 

 

As with many industries mobile has become a dominant, disruptive force.  The Radicati Group performed a study in 2014 and found that mobile devices in use, including both phones and tablets, will grow from over 7.7 billion in 2014 to over 12.1 billion by 2018.  The statistics are staggering:

•                    2015:  205 million estimated mobile apps downloaded (Gartner)

•                    2015: 51% of the population have a mobile device (GMSA Intelligence)

•                    2015: 72% of all page views via mobile device (GMSA Intelligence)

•                    2018: 84% of the world population will be using mobile technology (Radicati Group)

•                    2018: average of almost two mobile devices per mobile user (Radicati Group). 

•                    2018:  If you take into account purchasing power in developed vs. undeveloped countries, many mobile users in the US could have 3-4 devices!

 

Members have become so reliant on mobile applications in their everyday life they now expect payer access anywhere, at any time.  Employees also expect to be able to perform their jobs using mobile devices.  This is especially true for those that travel and perform business from remote sites.  Bring-Your-Own-Device (BYOD) programs address these market trends for payers.  BYOD brings great potential benefit but comes with significant constraints and risks. 

Benefits include:

•                    Consumerism programs can benefit from providing access to member services via mobile

•                    Mobile access can be a great differentiator leading to higher member satisfaction and revenue growth, especially in Medicare STAR rated programs      

•                    Letting employees utilize their own mobile devices significantly reduces capital outlay, depreciation cost and risk of technical obsolescence for payers

•                    Employee mobile access can increase employee engagement and job satisfaction

Constraints and risks include:

•                    A poor mobile experience can damage member and/or employee satisfaction

•                    There is cost and complexity involved in managing duplicate infrastructure and applications

•                    Security

·                     HIPAA provides penalties but little guidance on PHI security methods and the mobile security market is immature

·                     Controlling security on mobile devices can be difficult on payer owned devices, more difficult on BYOD devices

·                     It’s not just managing the download or access of data through controlled applications, it’s access to data in any form including in transit (i.e. cell towers, Wi-Fi), at rest on company servers, at rest on mobile devices and through the life cycle of the mobile device (i.e. active / authorized, post termination, theft, etc.)    

So what is required to build a successful BYOD program in the payer world?  Many organizations see the BYOD program as an extension of IT infrastructure.  Isn’t it just extending access to applications through mobile devices? The answer is a resounding no.

Although many business applications are web based, mobile web browsers do not have the same maturity and often can’t be used effectively on mobile devices.  Moving to native mobile OS applications (i.e. iOS, Droid) provides more functionality, but requires development and maintenance of duplicate applications.  Building cross-platform applications is an option, but requires unique skills and development tools.

There is also the issue of user experience across platforms.  Members and employees expect to have a similar experience and usability across channels.  If the mobile user experience is poor or inconsistent with other channels it can seriously damage customer satisfaction.  In fact, it could drive additional calls into customer / technical support raising the cost of operations.  This is the exact opposite of its intended effect.

In regards to the infrastructure, managing the platform requires unique skills and technological controls to meet HIPAA requirements.  Data at rest inside the payer network already has HIPAA related controls.  Logical access is controlled at the application layer.  The infrastructure security gap comes in regards to data in transit to the mobile device, mobile OS layer and device storage level data access.

First, Profile based rules should be downloaded to the device enforcing basic, required controls in the mobile device UI.  This creates consistency in security enforcement and multiple layers of logical security to protect PHI.

Applications should be placed on the mobile device to manage the entire PHI life-cycle of the device.  Data should be encrypted in transit and at rest on the device.  Applications, data and access rights should be controlled remotely by the payer organization.  In this way the data can’t be read without having the proper rights as granted by the payer, even if the device is stolen.  Rights, applications and data can be removed from the device at any time by the payer (i.e. job change, termination, theft, etc.)       

BYOD programs don’t just extend existing applications to mobile devices.  Mobile is a new channel with unique needs and capabilities.  It ties into the payer brand and has a significant impact on customer and employee satisfaction.  Managing it properly can be a differentiator.  Managing it poorly can significantly hurt employee and customer satisfaction.

 

If you need assistance in planning, implementing or outsourcing your BYOD program contact:

healthcare@igate.com 

We manage mobile application development and BYOD programs for the best known insurance organizations in the world.  Our customers range from middle market to the Fortune 500.

 

David Lung is a Director in IGATE’s Healthcare Services practice.