Healthcare Industry BYOD Security Concerns

There is a current buzz surrounding Bring Your Own Device (BYOD) schemes as they offer so many benefits to companies; however, for the healthcare industry BYOD security is a concern. If a BYOD scheme does not enforce robust security controls multiple HIPAA violations are likely to be caused.

BYOD Benefits for Healthcare Providers

Employees are already using the latest Smartphones and tablets for personal communications and internet access; however they are required to either endure a serious technology downgrade when using healthcare provider-supplied devices, or they are not allowed to use their phones at all for work purposes and must rely on slow systems such as archaic pagers.

It is no surprise that BYOD schemes are proving to be popular, as employees can carry on using their own device, that in the most part, they like using. No extra training is required to teach staff members how to operate the device, and employees only need to carry one device.

It is surprising how much of a difference such a simple change to the working environment as using your own phone for work purposes can make. It improves morale, the workers are more productive, and the frustrations that come from archaic hospital communication systems and hardware can be avoided.

For the healthcare provider the benefits are clear: A more productive workforce, more efficient communication, and the benefits of mobile devices can be harnessed without the cost of having to buy the units. BYOD is a win-win: Both sides benefit greatly from the scheme, provided the devices can be kept secure. If they can’t, BYOD will be very bad for the healthcare provider.

Healthcare Industry BYOD Security Concerns

For the healthcare industry, BYOD security is of paramount importance. The data stored by healthcare providers, insurers and healthcare clearinghouses is highly confidential, and is protected by the Health Insurance Portability and Accountability Act (HIPAA). HIPAA places a number of demands on covered entities to ensure that data, specifically Protected Health Information (PHI) and Personally Identifiable Information (PII), is safeguarded at all times. Physical, administrative, and technical controls must be put in place to ensure data cannot be viewed by unauthorized third parties.

If employees are allowed to bring their own devices to work and use them for work purposes, a HIPAA-covered entity must ensure the devices are secured. Unfortunately, mobiles are not particularly secure. They can be lost or stolen and information (PHI and PII) can be sent through insecure channels, such as SMS message. With hundreds, or even thousands, of devices joining the network, this poses a significant security risk. HIPAA violations can all too easy occur.

Is Healthcare BYOD Worth the Bother and Risk?

Provided healthcare industry BYOD security is assured, BYOD benefits are too good to pass on; a fact not lost on most healthcare providers. According to a recent Health Management Technology report, 85% of hospital employees are allowed to use their devices for work purposes. The survey also showed that patient data is being accessed on the devices by 70% of physicians and health IT staff.

Fortunately BYOD security risks can be easily managed, but if mistakes are made or BYOD schemes are not properly planned, HIPAA violation penalties are likely to follow. The Department of Health and Human Services’ Office for Civil Rights is now fining organizations that fail to safeguard PHI. Fines of up to $1.5 million, per violation category, per year are being issued and state Attorney Generals are also taking action against HIPAA violators.

How to Improve Healthcare BYOD Data Security

The devil is in the detail. Healthcare BYOD schemes must be very carefully planned, down to the devices that can be used, the apps that can be downloaded and the communication channels that can be used. Training may not need to be provided on how to use the devices, but employees must be trained on device security and data security policies.

The staff must be trained on secure methods of communication versus insecure channels; how their devices must be used at work; what can be sent, downloaded or added to the device, and how that must be done to maintain data confidentiality. The staff must be informed about data encryption, how it works and why it protects data. They must also be shown how to use any apps or software that have been added to the phone by the employer; such as a secure healthcare messaging app. They must also be made aware of the procedures to follow should their device be lost or stolen.

Mobile device management policies and procedures also need to be developed. Maintaining devices connecting to a hospital network can be complicated, which is why many organizations opt to use a MDM service such as BlackBerry MDM, Air Watch by IBM, or Tivoli’s Endpoint Manager for Mobile Devices. By using these services, the management of healthcare BYOD schemes can be made much easier and headache free.

The healthcare industry BYOD security concerns can be addressed with careful planning and the benefits of BYOD realized; but without diligence and careful planning and maintenance, financial penalties are likely to follow.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of