Your privacy officer asks a straightforward question: can you confirm that every mobile device across your four affiliated care sites is encrypted, enrolled in MDM, and running a current OS patch? You open your device inventory spreadsheet and realise you cannot. Not because you have been negligent—because the architecture of Canadian multi-site health systems makes unified clinical device management compliance structurally difficult. This post unpacks why the gap exists, what it actually costs, and what organisations are starting to do about it.
Why most Canadian hospitals can’t answer basic clinical device compliance questions
The audit-finding letter arrives on a Tuesday morning. Ontario’s Information and Privacy Commissioner has flagged unencrypted mobile devices at one of your affiliated clinics. Your privacy officer needs documentation—which devices, what encryption status, what MDM enrollment state—and needs it by end of week.
You open the device inventory spreadsheet IT has been maintaining. It was last updated seven months ago. It does not include the 40 tablets the surgical program purchased directly through a vendor relationship. It has no entries for the community clinic that joined your Ontario Health Team last year. The spreadsheet shows what you knew existed at a single point in time—not what exists now.
This is not a unique failure. Nearly half of Canadian healthcare IT decision-makers face the same structural limitation. According to a 2025 SOTI survey of Canadian healthcare IT leaders, 46% cannot deploy and manage new devices effectively, and 43% cannot remotely support devices or retrieve detailed device-issue information. The capability gap is not a staffing problem you can hire your way out of—it is an infrastructure and governance problem that predates your current role.
The consequences of that gap surface in the IPC’s breach data. Lost and stolen mobile devices remain one of the most commonly reported breach categories under PHIPA—and the regulatory question is always the same: was the device encrypted, was it enrolled in an MDM that could remotely wipe it, and can you prove it?
Here is what actually happens on the floor. The device inventory your hospital thinks it has and the devices actually in clinical use diverge within 90 days of any major deployment. Departments purchase tablets on P-cards. Vendor reps drop off loaner scanners that never leave. Shared devices migrate between floors. The “fleet” is a living thing that no static spreadsheet can track—and most MDM consoles only show what was enrolled, not what exists.
The compliance gap you sense is real. And it is shared across nearly every multi-site health system in the country.
How multi-site health systems lose visibility without realizing it
Canadian regional hospitals do not operate as single IT environments. They operate as federations of loosely connected sites, each with its own device history, its own vendor relationships, and often its own shadow IT practices. Visibility breaks down not at the centre, but at the edges.
Affiliated sites, separate IT realities
Ontario Health Teams, regional health authorities, and hospital amalgamations create structures where each affiliated site may have a different MDM tenant—or none at all. The parent hospital’s MDM console shows the parent hospital. It does not show the ambulatory clinic that joined the network two years ago, the long-term care facility with its own procurement channel, or the community health centre running devices it purchased before the affiliation.
Even when sites nominally share an MDM platform, the governance question remains: who is responsible for enrollment? Who enforces policy consistency? Who audits the affiliate’s compliance posture? In most health-system federations, the answer is unclear—which means in practice, no one does.
Clinical devices that never touch the MDM console
The non-enrollment problem is specific to healthcare—and it is where the largest compliance gaps hide.
Rugged scanners from Zebra, Honeywell, and Datalogic deployed for barcode medication administration (BCMA) and specimen collection are often configured by the OEM or a reseller and handed directly to nursing. They connect to Wi-Fi. They access patient-safety workflows. And they were never enrolled in enterprise MDM.
Biomed devices—vitals carts, infusion pump interfaces, point-of-care testing equipment running Android or embedded Linux—connect to the clinical network but are owned by Biomedical Engineering, not IT. Neither team manages the device’s security posture because neither team believes it falls under their governance.
The scale of this problem is measurable. 73% of Canadian healthcare organisations report experiencing downtime or technical issues with connected devices—issues that trace back to devices that were never properly integrated into the organisation’s management architecture in the first place.
Here is what this looks like on a med-surg unit at 2 a.m. A Zebra TC52-HC scanner used for BCMA is a life-safety device—if it fails during a medication pass, the nurse either waits or overrides the scan. But that same device often ships from the vendor pre-configured with Wi-Fi credentials and a barcode app, and IT never sees it until it breaks. It is simultaneously mission-critical and invisible to the compliance dashboard.
Legacy infrastructure as the binding constraint
Canadian healthcare IT leaders are not choosing to run outdated systems. They are trapped by infrastructure decisions made a decade ago.
99% of Canadian healthcare IT leaders report relying on legacy systems, with 71% running modern tools—connected devices, telehealth platforms, clinical mobility—on top of non-integrated legacy platforms. The MDM platform may exist, but it sits on infrastructure that cannot support real-time policy enforcement across distributed sites with different network architectures and different authentication systems.
This means the visibility gap is not a configuration problem. It is a foundation problem. And it explains why hospitals that invested in MDM platforms three or five years ago still cannot produce the compliance reports the IPC requires.
What a mobile device compliance gap actually costs a Canadian hospital
The cost of a compliance gap is not theoretical. Ontario’s Information and Privacy Commissioner now has the authority to levy administrative monetary penalties against health organisations—and the first penalties were issued in August 2025. The financial exposure from a single lost, unencrypted tablet can cascade from a privacy breach report to a regulatory investigation to a six- or seven-figure remediation exercise.
PHIPA administrative monetary penalties are now real
Until January 2024, PHIPA violations resulted in orders and public reports—embarrassing, but not directly financial. That changed.
PHIPA administrative monetary penalties can now reach $50,000 per individual and $500,000 per organisation. The first-ever PHIPA AMPs were issued in August 2025, confirming the IPC will use this enforcement power.
For the IT Director who cannot demonstrate that every mobile device with PHI access is encrypted, enrolled, and remotely wipeable, the AMP exposure is no longer hypothetical. A single lost tablet—one that was purchased by a department, configured by a vendor, and never touched by IT—can trigger the full penalty ceiling.
The breach-cost reality for Canadian healthcare
The regulatory penalty is only the beginning. The financial impact of a breach extends to forensic investigation, patient notification, legal counsel, remediation, and reputational damage.
The average cost of a data breach in Canada reached $6.32 million in 2024. For a 300-bed community hospital operating on a $150 million budget, a breach event of that magnitude represents a material financial shock—one that could have been mitigated by knowing the encryption and enrollment status of every device in the fleet.
The 2023 ransomware attack on southwestern Ontario hospitals illustrates what happens when security gaps compound. Between 267,000 and 516,000 patients were affected, with remediation costs exceeding $7.5 million and recovery extending through February 2024. That incident involved system-level vulnerabilities—but the investigative and remediation process exposed device-management gaps that multiplied the operational disruption.
When a breach investigation begins, the IPC asks for documentation: which devices were encrypted, which were enrolled in MDM, what was the remote-wipe status at the time of loss, and what audit logs exist. Organisations that cannot produce this documentation are not just at regulatory risk—they are at a fundamental disadvantage in controlling the investigation timeline and outcome. The documentation gap is the compliance gap.
The patient-care cost no one budgets for
The compliance problem and the clinical efficiency problem are the same problem.
Mackenzie Health in Richmond Hill, Ontario, estimated that ED clinicians wasted up to 25 minutes per shift on credential entry alone before deploying single sign-on. Multiply that across three shifts, across four affiliated sites, and the cumulative productivity loss dwarfs the cost of a managed mobility programme.
When devices fail or credentials stall, frontline workers absorb the impact. Globally, 53% of healthcare decision-makers report that IoT and telehealth device downtime causes delays to patient care. In a Canadian hospital context, device downtime during a medication pass does not just create frustration—it creates a patient-safety decision point that no nurse should have to navigate.
The costs of a mobile device compliance gap are quantifiable: regulatory penalties, breach remediation, and clinical workflow disruption. What remains is the harder question—whether the IT team responsible for closing that gap has the capacity to do so.
Why healthcare IT teams cannot close the clinical device compliance gap alone
The clinical IT team at a 300-bed community hospital consists of two endpoint specialists. One of them is also the SOTI administrator, the Imprivata liaison, and the on-call escalation point for Epic Rover issues. They cover business hours. When a scanner fails at 2 a.m. on the med-surg floor, the nurse calls the general helpdesk—which cannot see the device in the MDM console because it was never enrolled.
This is not a failure of competence. It is a failure of capacity.
Canadian healthcare is operating under staffing constraints that make sustained device compliance structurally difficult. Hospital staff worked more than 26 million overtime hours in 2021–2022—the equivalent of 13,000 full-time positions. Clinical IT teams absorb that pressure alongside everyone else. They are not under-performing. They are triaging.
The device-management burden alone consumes disproportionate time. 47% of Canadian healthcare IT leaders report spending excessive time fixing device issues—time that cannot be spent on enrollment enforcement, policy updates, or compliance documentation.
Here is what happens in practice. A hospital with 1,500 mobile devices across four sites has a single MDM administrator handling enrollment, policy configuration, app deployment, break-fix triage, and compliance reporting. When that person goes on parental leave or resigns—and in the current Canadian healthcare IT job market, the replacement timeline is four to six months—the entire fleet drifts. Policies expire. OS patches stall. The compliance posture degrades invisibly until the next audit finding surfaces it.
The compliance challenge extends beyond MDM policy—it includes lifecycle management for clinical mobile devices from deployment through secure end-of-life. A stretched two-person team cannot sustain enrollment enforcement, 24/7 incident response, multi-site policy consistency, and IPC-ready documentation simultaneously. The question is not whether they are trying. The question is whether the organisational structure makes success possible.
What Canadian health systems are doing to improve clinical device compliance visibility
Canadian health systems are not ignoring this problem. They are responding through several distinct approaches, each shaped by their size, their regulatory exposure, and the capacity of their internal teams. The question is not whether to act, but which approach matches the organisation’s operational reality.
Strengthening in-house MDM administration
Some organisations invest in dedicated MDM specialists, platform training, and internal compliance-reporting workflows. Large academic health centres with deeper budgets and more stable talent pipelines can make this work—at least while key staff remain in place.
The binding constraint is the Canadian healthcare IT labour market. A departure can leave a 2,000-device fleet under-managed for months. And even fully staffed teams struggle to provide the 24/7 coverage that clinical environments require. MDM administration is not a business-hours function when medication passes happen at 3 a.m.
Carrier-bundled mobility management
Bell EMM, Rogers EMM, and TELUS Managed Mobility simplify procurement by consolidating device management with carrier connectivity under a single bill. Smaller hospitals and clinics often prefer this for administrative simplicity.
The limitation is fleet composition. Carrier-bundled services are optimised for smartphones and standard enterprise devices—not for the mixed fleets of rugged scanners, shared clinical tablets, and biomed-adjacent devices that characterise hospital environments. A Zebra TC52-HC scanner used for barcode medication verification requires OEM-specific MDM configuration that carrier-bundled platforms typically do not support.
Independent managed mobility services
A third category has emerged: independent managed mobility services providers whose sole business is managing mobile device fleets across the full lifecycle. This approach separates device management from carrier connectivity, provides platform-agnostic MDM administration, and is designed for the complexity of multi-OS, multi-site, rugged-device environments.
For health systems that cannot sustain in-house 24/7 MDM administration and whose fleets extend beyond smartphones, this category addresses the structural gap—not by adding headcount, but by transferring the operational burden to a dedicated team.
How managed mobility services address clinical device compliance gaps
The compliance gap exists because clinical device management in Canada requires unified visibility across sites, 24/7 coverage, multi-OS and rugged-device expertise, and PHIPA-aligned documentation. Most hospital IT teams cannot sustain all four simultaneously. Managed mobility services exist to close that gap.
What to look for in a Canadian managed mobility partner for healthcare
If your organisation is evaluating external support for clinical device compliance, several criteria separate providers built for healthcare from generalist IT service firms:
Canadian data residency. Any provider managing devices that may access PHI must confirm that management infrastructure resides in Canada and that no operational data flows through US-hosted systems subject to the CLOUD Act.
Willingness to sign a PHIPA Agent Agreement. If the provider handles PHI on your behalf—even indirectly through device access—they must be willing to formalise that relationship under PHIPA.
Bilingual service capability. For organisations with Quebec sites, French-language helpdesk support is not optional. Quebec’s Bill 96 requires software interfaces distributed in the province to include French, and Bill 3 imposes contractual obligations on technology providers handling health information.
Rugged-device expertise. Clinical scanners from Zebra and Honeywell require OEM-specific MDM configuration—Zebra Mobility Extensions, OEMConfig profiles—that generalist providers often cannot deliver.
Clinical-grade SLAs. A failed scanner during a medication pass is a patient-safety event. Response times must reflect that reality.
Compliance documentation that produces IPC-ready output. When the privacy officer asks for encryption status and enrollment records across all sites, the documentation must already exist.
For a deeper look at these evaluation criteria, see our guide to choosing an MDM as a Service provider for your Canadian healthcare organisation.
PiiComm’s approach to clinical device compliance
PiiComm is Canada’s largest pure-play managed mobility services provider—managing over 500,000 devices across thousands of locations, with every operational function performed in-country by a Canadian team.
For healthcare organisations, several capabilities address the compliance gaps this post has described:
24/7 bilingual service desk, staffed in Canada. Clinical device incidents at 2 a.m. receive the same response as incidents at 2 p.m.—because medication passes do not follow business hours.
Premier Zebra Technologies partnership. Zebra scanners are the most common rugged clinical devices in Canadian hospitals. PiiComm’s OEM relationship means devices are staged with Zebra Mobility Extensions configured correctly before they reach the ward.
SOTI and 42Gears MDM platform certification. PiiComm administers the MDM platforms Canadian hospitals already use—transferring the daily burden of policy configuration, enrollment enforcement, and compliance reporting through fully managed MDM administration.
Secure decommissioning with NIST 800-88 chain-of-custody documentation. When devices reach end-of-life, PiiComm produces the auditable erasure records that PHIPA investigations require.
When PiiComm stages a fleet of Zebra TC52-HC scanners for a hospital deployment, each device is enrolled in the MDM tenant, configured with site-specific Wi-Fi profiles and application policies, and assigned a serial-level record in the AIM portal before it leaves the Canadian staging facility. The compliance posture is established before the device reaches the floor.
Learn more about PiiComm’s approach to managed mobility in Canadian healthcare environments.
Frequently asked questions
How do I know if my hospital has a clinical device compliance gap?
46% of Canadian healthcare IT decision-makers cannot deploy and manage new devices or remotely support them. If you cannot produce a real-time report showing the encryption status, OS version, and MDM enrollment state of every mobile device across all your care sites, you have a compliance gap. Common indicators include devices purchased outside IT procurement, affiliated sites not on your MDM tenant, and audit findings referencing unencrypted endpoints.
What are the penalties for PHIPA non-compliance related to mobile devices?
PHIPA administrative monetary penalties can reach $50,000 per individual and $500,000 per organisation, effective January 1, 2024. Lost or stolen mobile devices with unencrypted PHI are among the most commonly reported breach types. The first-ever PHIPA AMPs were issued in August 2025, confirming the IPC will use this enforcement authority.
How much does a healthcare data breach cost in Canada?
The average cost of a data breach in Canada reached $6.32 million in 2024. For Canadian hospitals, costs include forensic investigation, patient notification, legal counsel, regulatory response, and reputational damage—most of which escalate when device compliance documentation is incomplete or unavailable.
Why are rugged clinical devices harder to keep compliant than smartphones?
Clinical scanners from Zebra, Honeywell, and Datalogic require OEM-specific MDM configurations—Zebra Mobility Extensions, OEMConfig profiles—that differ from standard smartphone management. They are frequently deployed by device vendors or clinical departments without IT involvement, creating a shadow fleet that exists outside the MDM console and visible to no one.
Does Ontario’s Procurement Restriction Policy affect which MDM providers hospitals can use?
Yes. Ontario’s policy excludes US-headquartered businesses with fewer than 250 Canadian full-time employees from new broader public sector procurements, including hospitals receiving $10 million or more from Ontario. Canadian-headquartered MDM platforms and managed service providers are clearly compliant; US-headquartered platforms require case-by-case FTE verification.
What is the difference between having an MDM platform and having clinical device compliance?
An MDM platform is software. Compliance is an operational outcome. 99% of Canadian healthcare IT leaders rely on legacy systems, meaning MDM platforms often sit on infrastructure that cannot enforce policies in real time across distributed sites. Compliance requires continuous enrollment verification, policy enforcement, patch management, and audit-ready documentation—which requires dedicated operational capacity, not just a licence.
How do multi-site health systems in Canada typically manage device compliance across affiliated care sites?
Affiliated clinics, Ontario Health Teams, and regional health authorities each operate with different IT ownership structures—often with separate or no MDM tenants. Most use one of three approaches: extending the parent hospital’s MDM tenant to affiliates, relying on each site to self-manage, or engaging a managed mobility services provider to operate a unified MDM environment across the entire health-system federation.
The question that remains
The compliance gap is not a mystery. It is a structural condition created by multi-site governance complexity, clinical devices that bypass IT procurement, legacy infrastructure that cannot support real-time policy enforcement, and IT teams stretched beyond sustainable capacity.
The consequences are now quantified: up to $500,000 in PHIPA penalties, $6.32 million in average breach costs, and clinical workflow disruption that compounds every time a device fails during patient care.
What changes is not the problem—it is the willingness to address it differently. The IT Director who recognises that their team cannot close this gap alone is not admitting failure. They are making the first accurate assessment of what the problem actually requires.
See how other Canadian health systems are approaching clinical device compliance across care sites—or talk to a PiiComm mobility specialist about your specific environment.