Healthcare BYOD Security Tips to Avoid Data Breaches
BYOD schemes offer numerous benefits, but also carry a number of risks: To make it easier to avoid the pitfalls, we have compiled a list of healthcare BYOD security tips that if adopted, will help HIPAA-covered entities avoid Privacy and Security Rule violations (and the penalties that follow).
Useful Healthcare BYOD Security Tips
There is no single solution that can be applied to solve all of the issues likely to be thrown up by BYOD schemes: The only way data can be properly secured is to use a combination of strategies. Mobile devices do pose a threat to hospital security, but the following tips and tactics will help keep data protected, and keep IT staff and physicians happy.
Update Mobile Security Policies
The same policies that are used for email and web applications are likely to apply to mobile devices. Use these as a base to save time; then tweak those policies and procedures as necessary.
Limit Devices Allowable under BYOD
The latest mobiles devices may have all of the necessary security controls, but older models often do not. Testing each and every device and platform is not feasible, so limit the devices that can connect, and make sure all devices are physically inspected to ensure they have not been tampered with.
Implement Basic Security Controls
It is easy to forget basic security measures such as setting a PIN on all mobile devices. It may be an inconvenience, but if the device is lost, it will reduce the risk of PHI being exposed.
Lay Down the Law
State how devices can be used and lay down the law on the security controls that must be used. This may take time, and physicians may not like the inconvenience; but this is essential if data breaches are to be avoided.
Policies Must be Concise and Easy to Read
Make policies clear, easy to read, and easy to understand. It is also important to obtain a signed BYOD agreement. If any staff member does not agree to the terms of use; they should not be allowed to use their own device at work.
Decide on the Apps that can be Used
Either specify which apps can be used – and from where they can be downloaded – or limit apps by class. Do not permit file-sharing applications to be used for example, or other apps that carry a high risk of exposing data and violating HIPAA Rules.
Encrypt Data in Transit AND at Rest
PIN numbers are only a first line of defense. The only way to ensure that data is properly secured is to use robust encryption for data at rest as well as in transit. If a device is lost, PHI will remain protected if it is encrypted.
Apps must have Auditing and Reporting Functions
If a data breach is suffered, it is essential that it can be traced back to a particular application and device. It should be possible to centrally manage devices, and apps must have auditing and reporting functions.
Provide Training to All Staff Participating in the BYOD Scheme
Staff must be trained on HIPAA Privacy and Security Rules; how devices can be used, and best practices to adopt. Training sessions should be conducted regularly to ensure privacy and security matters are not forgotten.
Use Mobile Device Management Software (MDM)
There are now many options available to make the management of devices less labor intensive. Software allows devices to be remotely wiped, while email, text messages and web browsers are can be easily secured and kept up to date.