When Roger Baker, the chief information officer at the Department of Veterans Affairs, looks at the challenge of managing mobile technology, he sees more than the task of moving data securely to the tablets and smartphones used by the department’s nearly 280,000 doctors and employees.
Sounding more like a brand manager than a CIO, Baker said that the bigger challenge is managing the department’s mobile applications – and more specifically, the experience veterans and employees encounter when they use them.
That challenge became clearer when a group of VA doctors released their own mobile application onto Apple’s iTunes store, designed to help veterans suffering from post-traumatic stress disorder (PTSD), Baker said, speaking at an industry conference Monday.
The application quickly gained a following and a fair share of praise. Since it was made available a year ago, the application has been downloaded some 53,000 times in more than 60 countries, and won an innovation award from the American Telemedicine Association, according to VA officials.
But the IT department that Baker heads was unaware of the application before it became available, and thus never had the opportunity to ensure that it met basic security and privacy requirements – or a broader set of principles VA officials believe are important to restoring VA’s reputation with veterans, said Baker, who also serves as assistant secretary at VA.
It’s just one example of the growing complexity and implications of how mobile technology and applications are redefining the roles and the rules for CIOs today, according to Baker, and other senior IT officials speaking Monday during a conference hosted by the American Council of Technology & Industry Advisory Council (ACT-IAC) in Cambridge, Md.
When it comes to mobile applications, CIOs not only must look at how easily and securely they work for employees and the public, but also take into account “What do you want the brand to mean,” said Baker.
“There’s a lot we want the (VA) brand to mean to veterans. We’d like it to mean ‘helpfulness,’ especially compared to our past reputation,” he said. “That’s what the apps have to be oriented around.”
There is also a belief at VA that the medical information featured in mobile applications used by the public must be based on solid evidence generally availability from current medical literature.
“We have decided we’re not going to allow VA medical practice where the (medical) literature doesn’t support the material on the application,” Baker said.
Part of the challenge, said Baker, is how to manage the expectations and demands of thousands of “the best and the brightest” the VA hires each year who are accustomed to mobile technology, and who are constantly pushing for more of it, while simultaneously trying to protect the data that flows back and forth to those devices.
That continues to be a tricky juggling act as federal agencies and departments gradually permit more employees to use their own mobile devices for work.
While internally, the VA maintains a posture of being “device agnostic,” Baker said VA is evolving toward a policy of supporting two types of mobile devices.
One type of device can display a view of information, fed from VA network computers, but doesn’t actually place the data on the device. The other type of device actually receives and stores potentially sensitive information on the device itself.
“We’re concerned more about a doctor carrying around an Android or an iPad with patient information,” said Baker. That device and the information on it “has to be strongly protected. We are fanatical about protecting the personally identifiable health information of veterans,” he said.
That hasn’t been easy with the flood of iPhones, iPads and Android devices into the workplace. Those devices are designed for consumers, rather than to enterprises, the way Research In Motion’s BlackBerry devices are, Baker noted.
So-called mobile device management software tools help to some extent, Baker said, by making commercial devices work according to enterprise rules. And Baker has no qualms of including in those rules the right to wipe an employee’s mobile device of all of its data, if compromised, regardless of whether it’s the employee’s own device or one issued by the VA.
Indeed, the policies for managing the used of employees’ own mobile devices used on the job remain widely inconsistent from agency to agency, said Kathleen Turco, associate administrator for the Office of Government-wide Policy, inside the General Services Administration.
“There are no government-wide policies yet” on employees bringing their own mobile devices to work, she said during the same panel discussion about government mobile applications. And she did not indicate if and when they might be one.
“We’re wrestling with what’s the business case” for supporting BYOD, she said.
NASA’s Erna Beverly, enterprise applications service executive, however, reiterated that the real focus for agencies needs to go beyond BYOD and device management as a whole, and focus instead on on mobile application management.
“We’ve learned to be in sync with security rules…and the importance of data filtering, so we don’t have to worry about majority of security concerns,” she said. But, like Baker, she cautioned that agencies need to pay close attention to the mobile applications that are placed out in the public domain.
“Be sure you know what mobile apps you really want to put into a mobile app store. We would have focused on things a little differently,” she said in retrospect.
One example of that offered by Baker: “I’d like to at least see a disclaimer that people understand the risks of what can happen to their data” delivered wirelessly over the Internet; and that mobile applications would require a strong password for consumers, he said.
“There’s going to be a ton of lessons learned,” concluded Baker. “But the more we encourage mobile application development, the more we’ll discover what those lessons are going to be. The only issue I run into the medical community is why can’t we do things faster.”