People work differently now, and as the culture of work evolves, BYOD (Bring Your Own Device) workplaces have grown increasingly popular over the past several years. Having an effective and robust BYOD set of policies and procedures is critical to attracting and retaining clinicians.
For hospital IT, the chief issue with BYOD is data security. But, there’s more to security than meets the eye, and very few hospitals are getting it right.
5 BYOD Challenges For Hospital IT
Make no mistake: A BYOD environment has real benefits for healthcare organizations and personnel, especially in terms of supporting efficient workflow. True, you could make clinicians use designated devices for work only, but that would require them to carry and maintain multiple devices, especially if they practice in multiple facilities and need to be reachable around the clock.
The push for a BYOD environment is typically driven by users, not the organization, which may make it seem like your IT team is trying to keep up instead of leading the way.
Here are five of the challenges hospital IT needs to address when moving to a BYOD environment:
• 1. HIPAA-Related Issues
From a HIPAA privacy standpoint, a patient’s charts should only be seen by doctors who have direct responsibility for those patients. When clinicians view these charts on their own tablets, IT needs a way to ensure that those devices are not retaining patient info after it’s been viewed. In addition, any data stored locally must be encrypted in case the device is lost or stolen.
• 2. Viruses And Intrusions
When doctors and others access the hospital network through their own devices, it’s typically through a VPN (Virtual Private Network.) Without the necessary security measures in place, this VPN access could also open a door for viruses and hackers to breach your network.
• 3. Managing EHR Access
It’s not uncommon for a doctor to go to IT and say “I need access to the EHR on my device.” Administrators also request access for doctors, and access may be only for a month. Make sure that your IT team is able to quickly provide this access while also maintaining data security.
• 4. Lost And Stolen Devices
Phones, tablets and computers go missing all of the time – it’s just a fact. In 2015, 109.3 million health records were breached, and a significant majority of these security failures are attributed to lost or stolen devices.*
• When a device is lost or stolen, it probably holds a significant amount of unencrypted work email, which could contain patient information or sensitive business information. For this reason, it’s not enough for an IT administrator to stop email access: Those emails and messages are still stored locally on the device.*
• 5. Employees Leaving Your Organization
Having hospital network policies in place is essential for securing your information when employees resign or are terminated. Remote access to your information needs to be turned off immediately, and this may require you to shut down multiple avenues. Locally hosted information and apps are one thing; remotely or cloud-hosted applications and data add another layer of complexity.
Best Practices For Safe, Secure And Effective Integration
From a technical standpoint, the tools for managing BYOD environments are getting better all the time, so there’s no need to fully lock down a device. But, there’s a human side to BYOD security that’s important to address:
• 1. Assign Responsibility For Managing BYOD
Hospitals typically have a credentialing person who determines who is allowed to practice, and these people may also decide the level of data access. There are safeguards to log access to the EHR, and there should be the same level of management for mobile devices and removable storage devices (USB drives, DVDs, etc.).
• 2. Focus On Your Top Security Concerns
Instead of trying to control everything a user does with his or her devices, focus on providing secure access to the apps and information they need. The top concern for many healthcare organizations is to make sure that only the clinician is able to view sensitive information on their devices, rather than anyone who happens to pick it up. Encryption and two-factor security are important tools to use in mitigating risk.
• 3. Provide User Training And Education
Your organization’s mobile security policy should include teaching users about what they can and can’t do, and what happens when they lose a device or leave the organization. A minimal policy might stop with giving users access and passwords to use EHR and email on their devices. A more rigorous policy might require users to effectively sign their devices away in order to use them for business, such as permitting the hospital to do a full factory reset. Whatever the case, it’s essential to educate and train users on your policy.
Ultimately, the goal is to find a middle ground in terms of protecting the security interests of the hospital and patients, while giving clinicians the flexibility they need to do their jobs effectively and efficiently.
*Source: Steven Cobb, Senior Security Researcher for ESET. HIMSS presentation, “Managing Health IT Security Risk,” 2016.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker’s Hospital Review/Becker’s Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.L
