Physicians and healthcare workers are like the rest of the population — they love their iPads, their Samsung Galaxy Tabs, their Nokia Lumias. And they want to use them at work — especially if, as many healthcare professionals do, they work in multiple hospitals or offices. For these and other reasons, BYOD, or Bring Your Own Device, is making its way into the medical environment.
As it does, though, IT service providers must take extra care with security and privacy issues, in particular the Health Insurance Portability and Accountability Act (HIPAA). Unfortunately, BYOD can quickly lead to security breaches if appropriate safeguards are not in place.
A Harris interactive survey sponsored by security solutions company ESET found that:
- Encryption of company data is happening on only about one-third of devices.
- Less than 10 percent of people currently using their own tablets for work have auto-locking enabled.
- Only 25 percent of smartphone owners using their devices for work have auto lock.
- Auto-locking with password protection was enabled by less than half of laptop users, less than a third of smartphone users and only one in 10 tablet users.
If You Allow BYOD, You are Vulnerable
In short, less than half of all devices in the BYOD category are protected by the most basic of security measures.
To be sure, securing the mobile environment, even with BYOD in the picture, is doable. Your managed IT services provider should be using good data encryption technology to secure documents. And, if you use cloud-based technologies, your IT services staff can provide security via identify access management technology.
For healthcare providers, though, more thought needs to be put into a BYOD strategy. Protecting patient privacy, clearly, is essential and the company needs to make sure that patient information doesn’t co-mingle with the personal use of the device. The IT managed service provider also needs to make sure that no one else can access patient information.
A security policy with these issues in mind needs to be crafted, with participation from almost every functionality area in the company – from IT services to human resources to the legal department.
Starting Points for Your Security Policy
Some suggestions to include in the policy:
- Make sure the participants understand that IT support services will have access to their device, including any personal data.
- Participants sign a waiver that allows IT to wipe a personal device if it is lost or stolen.
- Set some guidelines: If an employee – or his teenage son, rather – installs a certain type of app, such as a game, the controls will not allow the employee to access medical data.
- Provide extensive staff education to make sure users understand the implications of mobile technology and how it impacts regulations.
- Perform regular audit and usage reports. Administrators and staff leaders should review these.
- Put in place a timeout feature that triggers password protection if the device is inactive for a period of time.