The Healthcare BYOD Debate Continues

There has been much discussion about the pros and cons of Bring Your Own Device Schemes (BYOD) in recent months, but it doesn’t look like the healthcare BYOD debate is likely to be settled soon. Proponents of the schemes believe personal devices can be added to a healthcare computer network and operated securely. Others vehemently oppose the use of personal phones at work due to the security risks that come with the addition of hundreds of devices to a healthcare network; devices that can be used for work purposes; but also left in bars, public places or simply dropped and lost.

The Healthcare BYOD Debate Heats Up

At the HIMSS13 conference in March there were many lively and occasionally heated discussions over the merits of BYOD in healthcare, which continued online after the conference. A number of health IT professionals were opposed to BYOD; although many were offering solutions to some of the common BYOD security problems and some were won over.

Power is Nothing without Control

According to Christus Health Executive Director, Mark Ackley, “BYOD offers workflow, communication, and patient care benefits that are too powerful to ignore.”

However, any organization that implements such a scheme without the necessary security controls will soon find the disadvantages far outweigh the benefits. Data breaches, fines and lawsuits await companies that allow the privacy of patients to be violated.

It is no longer a question of whether BYOD should be used in healthcare; it is a case of making BYOD secure enough to ensure that the devices can be used for transmitting PHI. Physicians and care providers want to use the devices as they are so much faster than the communication systems put in place by hospitals, and far more practical than any pager ever was.

Since healthcare providers make money from physicians, and physicians want to use the devices, healthcare providers must stop resisting BYOD and instead address the security risks. According to recent research, if a BYOD scheme is not in place, employees will use their devices anyway. Forrester Research discovered 37% of healthcare providers were using “non-compliant devices on corporate networks before formal permissions or policies are instituted.”

Healthcare BYOD schemes are therefore a way to prevent data breaches and HIPAA violations; not cause them. IT Departments may struggle to secure and maintain BYOD devices, but it is considerably easier than controlling devices that they have no knowledge are being used.

Robust BYOD Polices Must be Developed

BYOD is not about all workers bringing every device they own into work and connecting it to the network. Employees can opt into a BYOD scheme, but it is not mandatory and there must be conditions. Those conditions can be strict at first until the scheme is assessed, with restrictions easing over time, as and when the necessary security controls are installed.

Allow certain devices to be used that have been tested and determined to be secure, and severely limit what can be performed on the phones. Alternatively, approve devices that can be used in groups: iPhone 4 and above, or specify the earliest version of Android operating systems that can be used. This method allows swathes of mobile devices to be instantly approved, without having to test every single device.

Use a mobile device management (MDM) program and the devices can be more easily controlled, including remotely wiping the devices in the event of theft, loss or termination of an employment contract. Add data encryption and a secure messaging app and BYOD benefits can be had, while the devices can be kept secure.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news