5 Most Common BYOD Errors

Bring Your Own Device (BYOD) schemes have proven popular with the healthcare industry, allowing Smartphones and tablets to be used by healthcare professionals, without their providers having to cover the cost of supplying the devices.

However, while healthcare providers can certainly benefit from the use of Smartphones and other mobile devices at work, there are risks to data security; which if not tackled at the outset, could lead to a costly data breach. With this in mind, we have detailed the five most common BYOD errors that are made by hospitals and other HIPAA-covered entities. If you have yet to implement a BYOD scheme, be sure to take these points on board before allowing personal devices to connect to your network.

5 Most Common BYOD Errors

The most common BYOD errors are elementary mistakes. Take care to make sure that you do not make these mistakes as they will increase the chance of your organization suffering a data breach.

Implementation without Extensive Planning

Unfortunately, simply letting users bring mobile devices to work is asking for trouble. While a BYOD scheme can be implemented and problems dealt with as and when they arise, when they do (and they will!), they will be much harder to resolve than if a proper plan was put in place before the scheme was started. BYOD can bring benefits, but also considerable risks. Plan extensively before implementation and many of the common BYOD problems can be easily avoided.

Insubstantial BYOD Policies Implemented

Allowing tens, hundreds or even thousands of devices to connect to a healthcare network is risky, therefore policies must be developed that allow the devices to be used to improve communication with care teams, without risking the exposure of data. Policies must therefore be thorough, and should restrict permitted uses of the devices, as well as the apps that can be downloaded to them.

Failure to Restrict Data Access

One set of data permissions for all users is clearly a violation of HIPAA Rules, which require data access to be limited to the minimum necessary information for work duties to be conducted. It is therefore essential that access to PHI is restricted, as far as is possible. User groups can be set up and those groups given shared privileges, or individuals can be set their own set of permissions. This will be more time consuming, but access to data must be restricted.

Failure to Restrict Devices

All devices are not created equal. Some Smartphones and tablets have better security measures installed and fewer vulnerabilities than others. However, the only way for devices to be deemed suitable, is to conduct thorough testing of devices; a time consuming process, and one that many IT departments lack the resources to conduct. But it is better to restrict the devices that can be used than to leave systems open to attack. New devices can always be added at a later date.

Lack of Thought about Lost and Stolen Devices

Device loss or theft is a major issue, as those devices may contain PHI, or could be used to access systems containing PHI. Unfortunately, the loss and theft of Smartphones is common. In order to reduce the risk of a HIPAA violation and data breach, all devices must have systems in place that allow all stored data to be remotely deleted, or for the device to be remotely disabled. This will also allow devices to be easily secured if employees leave the company.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news