BYOD use is on the rise, and hospital policies need to be robust
Hospitals that allow employees to bring their own devices need clear guidelines and a mobile device management system.
Mobile devices are becoming ubiquitous in healthcare, and, with them, use of personal devices like smartphones and tablets. Doctors and nurses are checking email, receiving lab results and performing myriad other tasks on their own phones and tablets, in an effort to keep up with the next day’s workload.
In a 2017 Spõk survey, 71% of clinicians said their hospital allows some sort of “bring your own device” (BYOD) use, up from 58% the previous year. Even without official approval, the practice is increasingly common. In the same survey, 65% of doctors and 41% of nurses admitted using personal devices despite hospital policy prohibiting them.
Driving use are easier communication among care teams, workflow efficiencies, cost savings and response to physician demand.
By far the biggest users of mobile devices are clinical care teams. According to Spyglass Consulting Group, nine in 10 hospitals are investing in smartphones and secure mobile communications platforms to drive clinical transformation. And 91% of healthcare IT leaders in a recent JAMF survey said they would benefit from an enterprise-wide mobile device initiative. Where such initiatives exist, nearly all respondents reported higher patient experience scores.
But with wider use of mobile devices, and particularly BYOD, come increased privacy and security concerns. Experts say hospitals that allow employees to use their personal cell phones in the workplace need clear policies on who can use BYOD and what types of information can be transmitted.
Mobile devices should be part of an organization’s overall governance program, and that should include BYOD and issues like what people can download on a flash drive, says Kathy Downing, director of practice excellence and senior director at the American Health Information Management Association.
“We see so many breaches when somebody has downloaded something on a flash drive and the flash drive goes missing,” she tells Healthcare Dive.
Healthcare organizations can pay dearly when breaches occur. Last year, Children’s Medical Center of Dallas paid $3.2 million to HHS over patient privacy breaches linked to an unencrypted, non-password protected BlackBerry device.
For that reason, data security remains the chief reason hospitals prohibit BYOD. In the Spõk survey, 52% of respondents named BYOD as a top data security challenge. Infrastructure was also a concern, with 54% citing Wi-Fi coverage and 44% saying cellular coverage is a security challenge.
HIPAA and BYOD
While HIPAA doesn't require specific solutions when it comes to technical safeguards for mobile devices, HHS does require organizations to have reasonable and appropriate security measures for standard operating procedures.
ONC has developed guidance on securing mobile devices, including BYOD. Among its recommendations are that organizations install and enable encryption and research mobile apps before downloading them onto devices.
The National Institute for Standards and Technology also has a practice guide on mobile device security that discusses enterprise mobility management. This usually entails installing a profile on a device so that it can be monitored and controlled. The problem, critics say, is that employees where BYOD is permitted often don’t want their personal devices monitored.
“Most organizations do allow for people to bring in devices, but you have to couple that with a mobile device management solution in order to control the various dynamics of protected health information and allowing a more secure … connection to the health system,” says Cletis Earle, CHIME board chair and CEO at Kaleida Health.
That’s usually coupled with formal BYOD policies, he adds. Such policies need to address questions like retention of emails and passwords and, if a personal device is going to connect to the network, what broader mobile device guidelines it must comply with to ensure users stay connected in a secure manner.
These are basic principles that apply across any vertical, not just healthcare, Earle says.
Building a BYOD policy
There are numerous examples of BYOD policies. Basic components tend to include expectation of privacy, acceptable use, device and support, security and risks and liabilities. Policies also need to have some sort of user review and acknowledgment so that people understand their responsibilities. For example, don’t allow others to access secure information on your phone, don’t share your password and don’t ignore software updates designed to address a security risk.
A big piece of any BYOD program is employee awareness and education, Downing says. Policies should reflect the concerns of nurses, lawyers and others whom they will impact. “You can’t just build it behind the scene,” she says.
Not one size fits all, however, when it comes to mobile device and BYOD policy. Some organizations deploy extreme measures, such as requiring a lengthy alphanumeric phrase recognition password or prohibiting PHI in emails, while others are less restrictive. To ensure policies don’t end up being disruptive, Downing suggests following a “reasonableness” standard.
She also recommends thorough and regular risk assessments to ensure compliance with HIPAA privacy requirements. ONC indicated as recently as February that not enough organizations are conducting risk assessments.
Finally, organizations need to make sure breach management and incident response teams are on board and know what the mobile device policy is.
Mobile device management is essential
Installing a good mobile device management (MDM) tool is also essential for any BYOD program, experts say. There are a number on vendors that offer this software, including AirWatch and Citrix. They allow organizations to control what apps are downloaded on personal devices, force passcodes, encrypt data and segregate work-related usage from personal use, such as posting on Facebook or Twitter. MDMs also enable organizations to wipe or recover data in the event a device is lost, stolen or misused.
“The controls are the biggest factor,” Earle says. If a device is lost or stolen, organizations need to be able to wipe work-related content without wiping the employee’s personal content.
Some MDM systems allow that to be done in a relatively robust manner and some present more of a challenge, so it’s important to shop for the right product. “There are some features that will allow easier enterprise-based usability, but it’s up to each organization to determine the level of complexity and cost associated with that respective MDM that’s applicable to your enterprise,” Earle says.
“We’re constantly looking at our wireless network to see what devices are connected,” says Danny Lujan, director of health information technology at Martin Luther King, Jr. Community Hospital in south Los Angeles, which uses the AirWatch system. The hospital monitors its wireless network for unusual behavior and separates BYOD devices out so they don’t touch anything connected to the internal network.
The hospital, which is in the process of developing a BYOD policy, uses four wireless networks — for internal phones, PCs, workstations on wheels and guests.
BYOD best practices
Besides MDM, what steps can organizations take to control BYOD use? One is to carefully analyze what devices — like iPhones, iPads, Androids and BlackBerries — users can bring into the facility or use externally. “You have to vet that out because if people bring in different devices and you’re supporting every single device, then it becomes a support nightmare for your IT team,” Lujan says.
Organizations also need to decide what applications they will support. Again, the more apps allowed on a phone or tablet, the more IT will need to support them. It’s important to assess what the IT department can handle.
Determine who really needs to have company email on their phone. Limiting email access reduces potential exposure of PHI or other secure information. Also, restrict BYOD device to a guest or special BYOD network so if a device is breached or infected with a virus, it doesn't infiltrate the entire system.
As technologies and the internet-of-things advance, new techniques may be needed.
“It’s not about the device. It’s about the technology and the application layer that we really have to focus on,” Earle says. “As virtualization becomes more prevalent, as cloud-based technologies become more prevalent, there’s going to be more of, it’s not the device, but the data is held somewhere else. You’re really dealing with a different set of problems and a different set of challenges.”
That will require new, more holistic ways of thinking about vulnerability and security, he says. Organizations will need to look beyond MDM to a “cocktail of different solutions” to ensure data security.