Investigation module updates and custom memos
Unleash the full potential of shared devices with insight into the state of enterprise mobile programs

New Ponemon research on enterprise mobile programs presents data on the challenges faced by IT and IT security staff. The report underscores how many organizations aren’t getting the full benefits of their shared mobile programs, and sorely need stronger strategies and capabilities to enhance security, user experience, and productivity.

Companies introduce enterprise mobile programs to increase efficiency and productivity – or simply to keep pace in an increasingly global and digital world. At the same time, a single lost or unusable mobile device takes a heavy toll on organizations, no matter the industry.

The data presented in the Ponemon Institute report, “Unlocking the cost of chaos: The state of enterprise mobility in life- and mission-critical industries,” was gathered by surveying 1,795 IT and IT security practitioners in the United States, Australia, Germany, and the United Kingdom on the state of their organization’s enterprise mobile programs. The report provides crucial insight into the challenges faced by organizations in the manufacturing, healthcare, transportation and logistics, gaming, and retail industries, shining a light on the essential mobile strategies and capabilities needed to support adoption and productivity, while protecting systems, data, and the company’s bottom line.

Mobile devices in manufacturing and retail

Some of the most compelling data in the Ponemon report came from the healthcare, manufacturing, and retail industries. For example, among those three sectors, manufacturing has the highest average replacement cost per device at $901. Lower, though not by a lot, is the retail industry’s average cost of $836 per device. (And we’ve already explored the healthcare data from the Ponemon report over here, if you’re interested.)

The state of mobile cybersecurity

There are a number of capabilities that simultaneously support mobile program security and efficiency. For example, maintaining control over who has access to which device, and when, saves resources for IT teams that would otherwise waste time trying to determine which user had a device last or who was responsible for unusual behavior flagged in an audit.

Access control also helps with security by incorporating safeguards to keep out unauthorized users – and of course, detailed audits and the ability to link mobile activity to individual users are essential for cybersecurity in any industry. However, only 46% of manufacturing respondents and 50% of retail respondents say that their enterprise mobile program enables robust access control for connected devices.

Here are more capabilities that support both security and user efficiency; specifically, how retail and manufacturing mobile programs enable organizations to:

  • Secure access to mobile devices without the use of shared pins
    • Manufacturing: 39%
    • Retail: 46%
  • Enable quick access to mobile applications without repetitive, manual authentication
    • Manufacturing: 31%
    • Retail: 39%
  • Protect data and privacy by locking down devices between every use
    • Manufacturing: 42%
    • Retail: 35%
  • Depersonalize devices after use with minimal time and effort
    • Manufacturing: 36%
    • Retail: 33%
  • Automate and trigger MDM workflows on deployed devices with USB
    • Manufacturing: 31%
    • Retail: 23%
  • Secure devices and access to sensitive and confidential data
    • Manufacturing: 27%
    • Retail: 34%

Most concerning is how many manufacturing and retail respondents said that their mobile device program does none of the above – 19% and 35%, respectively. Given the fact that 54% of total respondents reported that their organization suffered a data breach linked to unauthorized mobile device access, this underscores the danger of having an insufficient mobile strategy.

Lost devices

The cost of lost mobile devices is high, and includes both direct costs like replacing devices, and indirect costs that quickly add up if data is breached. Research shows that lost or stolen devices are frequently the starting point for hacking incidents, ransomware, and data breaches.

The Ponemon report includes some more direct costs, such as the demand for IT help desk support. Manufacturing spends the most on IT help desk support related to lost mobile devices, at an average of $162,650 per year. Retail spends significantly less, although $116,110 is still a considerable amount of money. When it comes to annual IT security support costs due to lost mobile devices, manufacturing spends an average of $684,140, and retail spends an average of $625,065.

The diminished productivity and idle time resulting from lost mobile devices also takes a toll on organizations. The average cost of diminished productivity among manufacturing respondents is $658,330 per year, while retail spends $585,200 on average.

And when it comes to the ability to protect sensitive data on lost devices, neither manufacturing, retail, nor healthcare views their programs as particularly effective. In all three industries, only 45% of respondents say their mobile program is “highly effective” at protecting data on missing devices.

Auditing

All mobile device programs, no matter the industry, should include regular audits of mobile device activity. This proactive strategy allows organizations to identify suspicious or unusual user activity before it develops into a security incident. It also provides a way to compile a detailed report to prove cybersecurity due diligence for regulatory requirements or insurance coverage.

When asked to rate the degree of difficulty auditing usage information on shared devices from one (not difficult) to 10 (very difficult), 54% of respondents in manufacturing chose very difficult, as did 58% of retail respondents. The response is unfortunate – there’s no need to struggle with audits when there are powerful tools that make it simple to monitor, record, and audit user behavior.

User experience

The success of any enterprise mobile device program is directly tied to adoption and user experience. If employees find devices frustrating and difficult to use, organizations don’t see the benefits that a mobile program should provide. Unfortunately, all industries surveyed report having poor user experience when it comes to accessing mobile applications and data.

Only 41% of manufacturing respondents say that the mobile user experience provided by their organization is satisfactory. Retail does slightly better, with 45% of respondents reporting a satisfactory user experience.

Access control is cybersecurity

If you can’t maintain access control of shared mobile devices, you’re essentially leaving a door open for hackers to walk through. The Ponemon report shared that 54% of manufacturing respondents find it very difficult to maintain access controls, compared to 56% of retail respondents. However, both industries report more effectiveness when it comes to controlling access to applications and data on shared mobile devices: 42% in manufacturing, and 39% in retail.

The state of commercial enterprise mobility

The Ponemon report illuminates the uncertainty that many organizations feel when it comes to their mobile programs. Implementing enterprise mobile programs to enhance connectivity, efficiency, and productivity is a smart business move, but you won’t get the full return on your mobile investments without the necessary access, management, and control capabilities.

Thankfully, there are solutions that offer all the tools you need to enhance security and streamline workflows – tools to connect your people and unleash mobile’s full potential so that business speeds forward with no loss of control.

For a closer look at the data discussed here and more, download the Ponemon research report.

Risky processes, uncontrolled access, and frustrated clinicians: Tales from the frontlines with Claire Reilly, RN MSc

Healthcare organizations across the globe experience obstacles that block technology ROI and hinder patient care. This blog post explores many of the unnecessary difficulties faced by a typical hospital participating in our Clinical Solution Assessment engagements. 

Desktops left unsecured, lost mobile devices, and hospital information shared on personal emails are just a few of the concerning findings from our Tales from the Frontline series. The series examines consolidated and anonymized findings from our Clinical Solution Assessments at various healthcare delivery organizations and provides valuable insights into the common reasons why organizations might not be getting the full benefit of their technology investments.

No value without adoption

In our Clinical Solution Assessments, clinicians often explain that they come to work to save lives – not to adapt their workflows to technology. They won’t ignore the needs of patients to resolve problems with a device or tool; they’ll simply move forward without it.

These assessments confirm what Imprivata has long known – clinicians are highly unlikely to adopt technology that isn’t seamless and efficient. And no one can get value from unused technology.

To illustrate the types of challenges we hear about time and again, I’ll use the name CityPoint Hospital – a fictional example that’s very real in terms of aggregated experience.

Mobile device mayhem

Phone with stickyCityPoint Hospital owns 1,500 shared mobile devices they keep stored in a cabinet within each unit. However, the devices inevitably travel around the hospital throughout the day, ending up somewhere different than where they began. It’s a natural outcome considering the territory covered during most shifts. Still, these migrating mobile devices result in other users finding a shortage when they open the device cabinet at the start of their own shifts.We noticed some users resorting to placing stickers on shared mobile phones to prevent other clinicians from taking the devices away. One nurse told me, “I would come into my shift and there would be 8 devices available for 12 nurses. Nobody knew where any of the phones were.”

Furthermore, if a device’s battery was low or dead, it was the clinician’s responsibility to switch it out – a simple task, but one there simply isn’t time for during the average hospital shift.

Cluttered desk with phones
“If a clinician can’t get a working phone at the start of their shift, they move on with their day without it”. 

When CityPoint clinicians do get their hands on a working mobile device, they view it as a great tool for swift clinical communication – both texting and calling. Mobile devices offer seamless communication among care team members for ongoing patient care collaboration, and portable access to data that’s crucial for clinical workflows. Ensuring seamless access workflows for mobile devices supports good outcomes for patients while helping to reduce clinician burnout.

More mobile obstacles

But the uncertainty of whether clinicians can get their hands on a functioning mobile device is just one of the reasons that CityPoint Hospital doesn’t reap the full benefits of their mobile program.

I noticed that clinicians need to log in to four key applications when starting their shifts, with each application requiring a username and password. If the application contains protected health information (PHI), clinicians not only have to manually enter their username and password for access, but the applications also time out every 15 minutes. If an application times out without the user immediately reauthenticating, the clinician will stop receiving notifications from their communication app, which can hinder and delay patient care.

Rows of vulnerable desktops

As I walked through CityPoint Hospital’s emergency unit, I noticed many desktops left unsecured with clinical applications still open. This is a clear privacy issue and cybersecurity risk, and yet the reasons behind it are easy to understand.

Clinicians use numerous applications throughout each shift, and most require unique username and password combinations. Because manually logging in to desktop workstations and multiple applications is such a long and tedious process, clinicians often choose to leave workstations vulnerable to unauthorized access to avoid having to log in again. And since these are shared devices, leaving applications open for anyone to step in and use also makes it impossible to accurately audit user activity.

Clinicians risk shortcuts for the sake of their patients

One physician is so determined to keep her computer on and unlocked while she goes to see patients, she bought an agitator pad to keep the mouse in continuous motion. Another nurse finds dashing back and forth between patient rooms and desktop workstations so inconvenient, she’d rather complete intakes and take vitals for all patients on paper before returning to enter the information into the EHR.

Some nurses address the problem of having to repeatedly log in and out of workstations by lugging laptops around the unit throughout their shift. Others choose to remain logged in on a desktop, but turn off the monitor in hopes of protecting sensitive data.

Ultimately, the inconvenience and wasted time engendered by security precautions increase overall frustration and distract from tasks that demand a great deal of energy and focus.

The clinicians I spoke with understand that the security shortcuts they take are risky, but they also believe that the need to deliver efficient patient care supersedes those risks. Clinicians are acutely aware of how every minute they spend accessing applications and data is a minute stolen from patients.

The burden of endless manual logins

In the hospital’s ambulatory department, a clinical pharmacist shared that she must manually re-authenticate her access hundreds of times per day. Although she works at the same workstation all throughout her shift, she’s repeatedly required to authenticate for frequent tasks like dose verification and counseling attestation.

An inpatient pharmacist expressed the same sentiment, sharing that he manually reauthenticates with a password around 100 times per day for IV prep and compounding. A CityPoint clinical pharmacist told me, “One time, I spent an entire night in the OR pulling medications for an anesthesiologist, because he was unable to reset his password so he could pull medication.”

The risks of uncontrolled access

CityPoint Hospital kept documents stored in Google Drive for ease of access. I noticed that some clinicians logged in with their personal Google accounts, while some units created their own Google accounts to access information using a shared password. In several units, I found personal documents stored locally on desktops.

I also learned there was also no process in place for deprovisioning users. Clinicians who had left the hospital months ago could still access hospital documents via their personal Google accounts. In one unit, managers were responsible for emailing IT to revoke application access when employees left the organization.

There was also no set process for provisioning new users. I spoke with a nurse who recounted one of the many times this caused problems after a new team member joined. “Our patient workload was overwhelming,” she said, “so we were thrilled to welcome a new nurse to our team. But during her first few days on the job, she was unable to access the EHR. As a result, she spent most of the week just observing us work.”

Another CityPoint pharmacist shared that she often had students come in for internships. But because the interns couldn’t get EHR access from day one, she’d have to let them use her own credentials. Sometimes the students were forced to keep using the pharmacist’s credentials for over a week.

No one is comfortable with this widespread, uncontrolled access, but clinicians don’t have the power to do something about it – no matter how risky the situation may be. A clinical informatics specialist shared how she was shocked to discover that she still had the privileges of a floor nurse, even though she hadn’t stepped on the floor in three years.

The solution they need

CityPoint Hospital’s inconsistent and complex processes for access, authentication, and reauthentication into applications and devices substantially inhibits their clinicians’ ability to use the EHR. The organization’s security measures make for a poor clinician experience, essentially putting technology in the way of patient care. The productivity of new users is hampered by delayed access to the EHR and other essential applications, while the continued privileged access held by departed users poses a significant security risk.

There are solutions and strategies to overcome all of these problems. With the right tools, CityPoint – and you – can simultaneously enhance security and efficiency, with safe, convenient, and seamless clinical workflows.

Book a meeting to learn how Imprivata can improve user experience across workflows at your organization – driving clinician adoption, reducing burnout, and optimizing the EHR at scale.

The 6 principles of AI and data protection: how the AI act ensures data is safe
Imprivata Vendor Privileged Access Management (Dec 9 - 10, 2024)
Imprivata Vendor Privileged Access Management (Nov 18 - 19, 2024)
Imprivata Vendor Privileged Access Management (Nov 4 - 5, 2024)
Imprivata Vendor Privileged Access Management (Oct 21 - 22, 2024)
Imprivata Vendor Privileged Access Management (Oct 7 - 8, 2024)
Imprivata Vendor Privileged Access Management (Sep 23 - 24, 2024)