Interview: James Thomas, IT director, University College London Hospital

Computing: How is the FMC implementation progressing?

Thomas: We have gone through all the coverage testing and the private mobile radio (PMR) network is in as well. We are now trialling standard mobile devices and smartphones (BlackBerrys and dual-model GSM/WiFi phones) for roaming on public GSM networks.

We want to make sure we are able to use our existing smartphone stock, which at the moment comprises BlackBerries. In the future, we will move away to other smartphones – largely because of infection concerns. [Mobile phone] keyboards are really bad for transmitting infection and holding germs in a hospital environment, whereas you can alcohol-wipe a touchscreen.

We also need to execute a SIM provider change, and we are striking a deal with certain mobile operators to provide us with SIM cards that work on both the PMR and GSM networks. Then we will upgrade 1,000 handsets, which is annoying, but this has to be done.

C: Will UCLH allow staff to use their own mobile devices?

T: I cannot stop the 'bring your own device' (BYOD) trend; in fact, I think we should positively embrace it. If we initiated a BYOD policy tomorrow, staff would bring in 1,000 devices the next day – clinicians love their gizmos. They like their iPads, and I would prefer to work with them to get the apps they need on to the iPad and we will probably need to develop apps specifically for it as a result.

The IT people at Guys and St Thomas’ NHS Foundation Trust already have clinical apps on the iPad, and we could collaborate with them – it would be in the public interest if we collaborated. We just have to make sure we provide open access to core systems.

C: How do you handle security for a BYOD approach?

T: The important areas for us in terms of security are secure email, internal data access and e-procurement. We have a Juniper Networks-based IP virtual private network (VPN) infrastructure using secure socket layer (SSL) technology, so we don't need to worry about policy control on the end user device.

If they bring in their own device, we have the ability to control that device, including remote kill. But if that remote kill does not work properly and kills off some of their personal data, we are responsible.