On Monday, the University Medical School Information Services rolled out its implementation of AirWatch, a mobile device management system being used to secure personal cell phones of employees and students. Numerous high-profile losses of protected health information at other institutions — and the inevitable lawsuits that followed — were cited as precipitating factors leading to our health system’s adoption of the security software.
AirWatch aims to prevent sensitive data from falling into the wrong hands by providing the ability to remotely wipe a device that has been lost or stolen, as well as the means to constantly monitor whether a device has been compromised. The software requires full administrator access to one’s phone to do so; permissions granted to the AirWatch Agent application are broad, including the ability to determine the device’s precise location, directly call phone numbers and even take pictures and videos. MSIS maintains that our version of AirWatch “does not collect any data related to phone calls, texts, location or web browsing,” because “these capabilities have been disabled.”
Questions about AirWatch have been raised by medical students, many of whom learned about the decision to support the software on a Friday, only three days before the platform’s official Monday launch. Confusion regarding the scope of surveillance, access to tracked information and the possibility of uninstallation reigned, but one of the most commonly voiced concerns was simply, “Do I need to install AirWatch?”
Announcements included phrases such as “deadline for enrolling” without pointing out that participation is strictly voluntary; users who do not install the monitoring package will still be able to access their UMHS e-mail accounts through their devices’ web browsers.
An important concept in medicine is the right to an informed decision, one which can only be made after understanding all of the relevant facts about each of the options available, without being coerced or rushed. It isn’t necessary for the health care provider to agree with the decision, as each patient makes each choice within the context of his or her own value system; hence, there are no “right” or “wrong” options. Similarly, the crux of issues surrounding privacy and technology resides in supplying the end user with enough information to weigh costs and benefits before arriving at an informed decision.
Patient data should be protected, but at what cost to the security of employee and student data? The large number of medical students who change their names on Facebook during the residency application cycle indicates that privacy remains a major concern — if we are so guarded about the information that we have chosen to share online, why would we not also wish to protect our private texts and e-mails?
We live in a time when the nature of the relationship between citizens, companies and government over communications is in a state of constant flux; in the last few days alone, headlines have been awash with revelations that computer manufacturing giant Lenovo intentionally packaged a major security flaw into its new laptops, while ongoing revelations about the extent of NSA surveillance continue to astound in both volume and audacity.
As consumers and responsible citizens, we must take active steps to protect our privacy. This can be difficult in the mobile device domain, as the only way to truly ensure that one’s data is completely safe is to not own a cellular phone in the first place. Obviously for many people this is not a viable option, so every day we make tradeoffs, judging which risks we deem acceptable. We may still choose to talk where we can be overheard, or text where our screens can be read over our shoulders or e-mail knowing the messages can be intercepted.
Some users will trust AirWatch, acknowledging the potential privacy compromises that it presents in favor of the convenience of accessing e-mail on their own devices. Others will opt not to install AirWatch, choosing instead to check their mail with their phones’ web browsers while relying upon their pagers to communicate urgent messages. A few may even decide to use entirely separate devices for personal and professional business.
There are no “right” or “wrong” options, as each choice is made in the context of the end user’s individual value system. Moving forward, it’s important that we focus on seeking student input about changes related to our school’s information technology policies, in addition to continuing to supply users with the information necessary to make informed decisions regarding their privacy, without being coerced or rushed.
Special thanks to Erin Conrad for contributing to this article.
Mike Yee is a fourth year medical student. He can be reached at mayee@engin.umich.edu.