One aspect of the mobile health field that has brought some confusion among healthcare providers and the whole medical community is the security risks associated with the Bring Your Own Device (BYOD) movement. Many companies in various industries today allow employees to utilize their own smartphones, tablets, or laptops for work purposes. However, the BYOD movement may have additional implications for the healthcare sphere.
There are three particular stakeholder groups that need to be considered when developing a BYOD program, according to the Health Information and Management Systems Society (HIMSS). These include end users, management, and IT staff. HIMSS covers key security questions that healthcare providers should consider when developing an effective BYOD program such as “How will you deal with the changing landscape – new laws, training, new devices, changing vendors, changing usage patterns?”
The National Law Review covered some of the privacy and security risks of the BYOD movement. While many employers have specific policies with regard to using one’s own digital device, some establishments may not have any guidelines in particular and professionals nonetheless utilize personal mobile devices like tablets or smartphones for work purposes.
Many healthcare organizations and other workplaces continue to struggle to find the line between the benefits of the BYOD movement and the potential privacy and security risks associated with personal mobile devices. These tools often hold very private information such as financial, health, business-related, and legal data.
With the BYOD movement, healthcare facilities lose some control over data across their organization, which would be minimized with company-bought devices. The National Law Review continues to explain that many data breaches are due to “employee negligence and lost or stolen devices.”
Since employees often bring devices to their homes or out to restaurants and cafes, there is more risk of the items being stolen or lost, which raises security risk. Additionally, many individuals often share laptops or other devices with family members or friends, which could expose data to other third parties. With more employee data as well as patient records stored on the cloud, there is additional risk regarding the privacy and security of certain pieces of information.
“Companies must consider business purposes, such as preserving reputation, as well as the numerous potential legal obligations surrounding data privacy and security,” The National Law Review stated. “For example, federal and state breach notification laws would apply to the unauthorized use or disclosure of certain types of data.”
“The information may be subject to many confidentiality laws, such as the Health Insurance Portability and Accountability Act Privacy Rule. Businesses need to consider the various security laws that may apply, such as the HIPAA Security Rule and the Gramm Leach Bliley Act. There may be contractual obligations or trade secret laws to keep in mind. Employment laws may also enter the picture. For example, if nonexempt employees are allowed remote access via their BYOD devices, they might perform more ‘off the clock’ work, which could give rise to wage and hour claims.”
Patients along with healthcare professionals are also concerned with the privacy of their data such as photos, personal emails, health records, medical histories, or financial information.
When integrating a policy related to the BYOD movement, it is vital to know which physicians, nurses, and other healthcare professionals should be allowed to participate in the program. It’s important to remember that not every single employee needs access to files or electronic records retaining to patients by way of a mobile device.
When deciding on whether certain people should be part of the BYOD program and its policies, it’s vital to consider the job functions of each individual within the medical facility. Also, crafting a specific BYOD policy and ensuring everyone involved in the program understands its terms and conditions is vital to a successful and secure system.
An example of a strong policy includes avoiding installing unapproved applications or using unapproved devices. Also, employees who no longer work for the company would no longer have any access to the organization’s data and prior information related to the former worker should be deleted as soon as possible.
“Companies should also implement various technical safeguards, such as encryption and passcode protection. Using a mobile device management (‘MDM’) solution can help with configuring and enforcing these safeguards,” The National Law Review concluded.
“MDM software can allow employers to require encryption and strong passwords, disable cloud services, lock devices after a period of inactivity, remotely wipe lost or stolen devices, and prevent the installation of unapproved applications on employees’ devices. MDM solutions can also help companies track which devices are participating in the BYOD program. Training is vital to a successful BYOD program. Training should include regular reminders of good security practices.”