It’s no wonder that health systems continue to struggle with bring-your-own-device (BYOD) policies. Physicians, clinicians, techs and support staff live and die by their devices, just as workers in about every other industry do.
But healthcare is different because of the emphasis on safeguarding protected health information (PHI). A single penetration can expose tens of thousands of medical records and potentially lead to investigations and sanctions that could cost a provider millions of dollars and loss of patient credibility and trust. In February 2017, Children’s Medical Center of Dallas paid a civil penalty of $3.2 million related to the theft of an unencrypted mobile device in 2009 and the theft of an unencrypted laptop four years later.
Eye-popping fines give the healthcare C-suite pause as whether to allow personal devices in the workplace. However, the penetration of BYOD continues, with seven in 10 hospitals allowing the practice, compared with 58 percent in 2016, according to research from communications company Spok. But even absent a policy, 63 percent of physicians and 41 percent of nurses use their own devices at work—even when BYOD is prohibited.
Still, data security remains a top three challenge for hospitals, according to the Spok survey. The other top challenges relate to WIFI and cellular coverage.
The issue for mobile devices in healthcare is three-fold:
- The physical security of devices
- The protection of the data contained on the device from malware, ransomware and other intrusions
- The security of the networks and applications where mobile devices access data
Unfortunately, there is not a one-size-fits-all solution to device security. Regardless of whether your organization has a BYOD policy, you must take steps to protect the PHI being accessed within your health system daily. In fact, the Federal Drug Administration (FDA) has developed medical device guidelines which are a start for an industry that must continue to develop further policies, procedures, controls and industry guidance.
Physical device security
Short of tethering devices to clinicians, a significant percentage of devices will become lost or get stolen at work or elsewhere. That fact alone explains why the enterprise mobility management (EMM) software market was expected to hit $1.8 billion globally and $2.2 billion by 2022.
EMM software can manage and protect a wide variety of devices, allowing the partitioning of devices between work and elsewhere and remote wiping of contents in the event of a theft, hack or intrusion. Some healthcare systems provide work devices to clinicians, which the system wholly controls.
Protection from intrusions
Another significant threat is posed by somehow injecting malware into an enterprise computer system. Phishing attacks, where an assailant sends a bogus email that appears real to either obtain information or insert a virus, are perhaps the best-known of these ploys.
But consider the 150 billion app downloads that occurred in 2016—20 apps for each man, woman and child on the planet. Estimates put more than 250,000 healthcare apps on the market. How does a health system know which ones are legitimate and are written by companies that have stringent security and quality controls?
Even if the app is well-maintained, a user who doesn’t install updates leaves that device vulnerable to intrusion.
Security of networks
Regardless of whether your health system allows BYOD, you must maintain the security and integrity of the IT enterprise systems and networks within your hospital. Any system that touches the EHR system or PACS—even tangentially—is a potential entry point or “vector” for an attack. Firewalls can help, so can dividing your WIFI network between a private network for hospital communications and a public network for visitors. IT staff should constantly monitor the software used within the health system for updates and install them quickly.
A security audit can help your health system identify potential problem or gap areas and assist in ensuring the integrity of your system. Since an audit is a snapshot of the current state of your security protocols, you should schedule an audit on a set schedule, say annually.
Many security breaches can be traced to human errors or omissions. Prohibiting BYOD won’t keep your staff from using their devices on the job, so assure training on security issues as an ongoing priority.