There’s been a lot of buzz around the Veterans Affairs Department’s adoption of iPhones and iPads. But VA officials say they’re being careful not to permanently tie themselves to Apple’s platform — nor anyone else’s.
A request for informationVA released to industry in late October contemplates a rollout of up to 100,000 tablet devices inside the department. They’ll include iPads, but not just iPads. The department wants the mobile-device management system that will support the devices to be able to handle Android and Windows-based tablets and phones as well, and VA plans to buy some of each.
VA Assistant Secretary for information and technology and Chief Information Officer Roger Baker said his department needs to be agile enough that it can continue to use the latest and greatest mobile technology in the years to come, regardless of the manufacturer. He wants the mobile devices being used inside VA hospitals to mirror the broader IT marketplace, he said. “I don’t know who the winner’s going to be in mobile in five years. I really don’t,” Baker said on a recent conference call with reporters. “There are interesting devices out there right now, but given everything we’ve see in the last couple years, you can expect the market to move even faster over the next five years. So we’re going to support whatever is of use to a range of our user base.”
Baker acknowledged the attempt to be device-agnostic complicates the VA rollout of mobile devices, particularly as the department ramps up its development of medical-related mobile apps.
“As you develop apps that are going to support more than one platform, it’s going to get more and more interesting how you do that in a way that keeps them portable,” he said. “But the last thing I want to do is pour millions of dollars into app development for a new device and then find out that that device is going out the window and a new device is going to completely eradicate it. We’ve got to make sure our apps are portable and can easily be moved to the next new thing that people are going to want to use.”
Securing the apps, not the device
Jerry Davis, VA’s deputy assistant secretary for information security, said being device-agnostic with respect to tablets also is a good idea from a security perspective. Since the consumer-focused mobile platforms tend not to meet government security standards at the hardware or operating system level, he said, having secure applications that can run on any device makes a lot more sense.
“When any device comes into an environment, you have to do to a risk assessment,” he told an audience at AFCEA Bethesda’s Health IT Day Wednesday in Bethesda, Md. “You get halfway through that risk assessment, and another device pops up on the market. You’re going to have to be agnostic about these devices and start doing some other things for security. A lot of this, at least in the short term, is going to have to come down to the application.” Davis said that’s how VA is rolling out the iPad and iPhone. For now, the department is being very restrictive on the number of apps it’s willing to approve, even though there are many tablet apps already available in the broader health IT marketplace.
“When we bring those devices in, we’re always worried about them getting lost or stolen,” he said. “So what we’re looking at is we never let data reside on the device. We move the device in a virtual environment, so the devices are really just readers. They connect to our medical applications because a lot of times all our clinicians need is to be able to see the data. They don’t need to manipulate it. The only other thing we have on the devices that may have sensitive data is email, but what we found is that there are applications out there that are Federal Information Processing Standard (FIPS)-certified that do protect that email.”
VA’s request for information also contemplates an internal app store for its users. It would host mobile apps developed in-house by or for VA, and it would include a pass-through to the main app store for the tablet manufacturer, but would only allow the installation of apps that VA has pre-approved.
More than security standards
Baker said besides security, there are other standards those apps will have to meet.
“The key thing is that the apps we authorize our folks to use are evidence based,” he said. “We have to know that the treatment that the app is encoding is shown by evidence to be an effective treatment. We want the VA brand to mean something in cyberspace, and we want that brand to be evidence-based. I think that hurdle is one that many apps today would find challenging. There are interesting apps, and then there are evidence-based apps. The evidence-based ones require a lot of work, a lot of research and a lot of tying of specific medical research papers to the app.”
As for the devices themselves, Baker said they won’t be distributed willy-nilly. They’ll only be deployed in situations where there’s a legitimate business case. Since VA hasn’t authorized many applications yet, that universe is relatively small for the time being, he said. But he can see a day in the not-too-distant future when VA users who already have laptops trade them in for tablets.
“The business case will really get to be compelling when our medical applications come onto this,” he said. “What if five years from now, I didn’t have to buy any desktop computers and everything we did in VA was mobile? There’s $100 million a year or more of business case. I can see the short term, I can see the long term, it’s the medium term business case that gets to be interesting. When do you cross over from nice to have and great to brag about to your friends to really increasing productivity for the VA?”
VA has so far deployed fewer than 500 iPads during the pilot phase of the rollout, and one of them has already gone missing. The department’s data breach report for the month of September included the theft of an iPad from a storage area. But the device still was new in the box, and no government data was stored on it, officials said.