Common Healthcare BYOD Mistakes to Avoid
To implement a BYOD scheme or not; that is the question for many CIOs and CISOs: Get it right and a healthcare organization can greatly benefit; commit some of the following common healthcare BYOD mistakes and even the best laid plans can go to waste.
The benefits of healthcare ‘Bring your Own Device’ schemes are numerous; however if errors are made they can ruin any BYOD scheme, and can lead to severe penalties from regulatory bodies. With this in mind, we have outlined some of the common – but highly serious – BYOD errors that are all too commonly made by healthcare providers, so you can take steps to avoid them.
These Common Healthcare BYOD Mistakes Can Cause Huge Problems
Before a BYOD scheme is implemented it needs to be carefully planned, but not down to the minutest detail. Many healthcare providers are ultra-cautious about the risks of BYOD, and attempt to implement schemes that are controlled down to tiniest detail. While caution is advisable, if the scheme is to work, it must not be too restrictive.
Setting a Highly Restrictive Range of BYOD Devices
From a security standpoint, this makes perfect sense of course. Not all devices are created equal. Some lack security controls, others simply have not been tested by IT departments, which tend to err on the side of caution with BYOD.
Taking a highly granular approach – such as only permitting specific models of Smartphone – is ill advisable as it is likely to severely limit the number of health professionals that can opt into the scheme. Individuals who have just purchased a new device that is not on the list will not be able to gain the BYOD benefits.
There is a happy medium. Device use can be restricted for security reasons; however it is possible to group devices together – Samsung Galaxy devices for instance, rather than only S5 models. Otherwise, the only way to get the majority of devices under the scheme is to rigorously test each individual Smartphone and tablet model to determine if it can be supported. Also, since new devices are coming to market all the time, testing each model is likely to take up considerable resources.
How can this be achieved? Devices can be approved if they possess certain required features or security controls. A device can be approved for use with the BYOD scheme if it runs Exchange Active Sync, for example.
Restricting Use of Services without Providing a Viable Alternative
One of the main benefits of a BYOD scheme is it makes it far easier for the staff to communicate with other members of the care team, rather than having to rely on slow and outdated communication systems; pagers for example.
Healthcare workers cannot send Protected Health Information by SMS message as the medium is insecure: SMS messages can be intercepted, and HIPAA does not permit the use of mobile devices for sending confidential information unless the data is first encrypted. Implementing a BYOD scheme without a secure messaging app or service is likely to result in HIPAA violations. Some users will opt to use unauthorized communications methods even if they are not permitted.
Secure SMS text messaging platforms exist and have been adopted by a number of healthcare providers that operate BYOD schemes. Secure SMS message systems allow physicians and other healthcare workers to send messages without having to worry about HIPAA violations, often only requiring a healthcare messaging app to be downloaded to the device.
A Failure to Retain Control of Devices
One problem with BYOD schemes occurs when staff leave or have their employment terminated. Since their personal devices are used for work purposes, when they leave an organization, any data stored on the device will be a security risk. Similarly, if a device is lost or stolen, thieves potentially will have access to the data stored or accessible through the phone.
Fortunately, options exist to render any mobile device safe in the event that the device is lost or stolen, or the owner of the device leaves the company. Software can be installed to allow the device to be wiped remotely; securely erasing all data stored on the phone.
In the case of theft or loss, a worker is unlikely to complain about such an action. They have, after all, lost any chance of recovering the device and the data stored on it. However, there is likely to be a problem when members of staff leave an organization. Individuals may object to a company remotely deleting data on the device.
It is therefore important to add conditions to BYOD schemes that allow an organization to wipe a device if it considers there to be a risk to data security. The best way to ensure that personal data is also not deleted is to use mobile device management tools, which ensure work and personal data is separated. If work data needs to be deleted, it can be done so remotely without erasing personal data such as phone contacts. Data ownership and the right to delete that data must be included in BYOD policies. It is better to have the option and not need it, rather than need it and not have it.
Be sure to avoid these common healthcare BYOD mistakes if you want to realize the benefits and avoid HIPAA violations!