The other day, a neighbor of mine called me in need of help. She said her laptop got a virus and she wasn’t sure what to do. As the neighborhood’s resident geek (shocking, right?) I said I’d be happy to help.

I gladly fixed the laptop, and as it turned out, she needed help setting up her email on her brand new iPhone 6, too. Her work was moving away from their network solutions-based email provider to a new system, and she wasn’t exactly sure how best to configure it.

I’ll interject by saying that my neighbor is the very definition of a mobile worker. Without naming names, she works for a fairly large healthcare provider as a physical therapist. She helps people recover from surgery by providing PT service in the home.

At face value, the new system her work is using—a mobile app—seems like a win. Great, right? Well, hold onto your security hat.

When the app starts up, she’s required to enter her full email address—approximately 40 characters long—and password. This happens on startup or any time the app has been idle for more than 10 minutes. She’s also required to enter her personal PIN every time the app resumes execution. After that, the app downloads her messages for review. Nothing is cached. Ever.

This new app is designed to be secure with one thing in mind: HIPAA.

I get it! Security is important. But here’s the thing. My neighbor has already told her supervisor and coworkers that if they need anything, they should call her instead of emailing her. Because it takes her approximately 5 minutes to get logged in on her iPhone, downloading data through a VPN over LTE, she just doesn’t have the time needed to quickly react to emails requiring immediate attention.

I’m personally grateful that all healthcare providers are required to treat my personal information with care, and I can see in principle why the app is configured the way it is. But there are much better ways to solve the problem.

The app could, for example, allow for PIN verification to work for more than just the current session. It could enable remote wipe via a MAM provider. (Yes, that’s a blatant plug.) It could remember the username and simply require stronger passwords. It could even encrypt your data at rest and in transit for quicker response times rather than downloading the information and never ever caching it.

As we’ve talked about before, at the end of the day, the enterprise must measure their mobile efforts based on ROI. In this case, the app actually has a negative ROI. The company has made a sizeable investment with a vendor to provide mobile service, and yet, its employees are refusing to use the app because of the horrible user experience to simply log in and check email.

Before developing and deploying a new mobile app, be sure that you’re not accidentally creating a user experience like the one my neighbor now has to deal with.

Some things look great in principle but in execution are much less ideal. If you can’t trace your app back to tangible ROI from productivity gains or some other means, you may find yourself actually hurting your employees—which I’d hazard to guess isn’t a place you want to be.