The trend of bringing your own device (BYOD) to work in healthcare is based on efficiency. Being able to communicate on devices they’re familiar with can help doctors, nurses, and care teams respond faster, which translates into better experiences for patients.
In fact, it’s widespread enough that calling BYOD a trend might not be accurate anymore. Just last year, a Spok survey found that 71 percent of healthcare organizations allow staff members to bring and use their own devices at work. In addition, 63 percent of doctors and 41 percent of nurses say they use their personal devices even without permission.
With or without approval, BYOD is growing, so there should be strict regulations and policies guiding it. People are only human, and humans are prone to make mistakes. While you can’t always avoid these mistakes, you can remove the ways in which they could affect your organization’s overall security.
Regulating BYOD Policies
It’s unrealistic to expect everyone within your organization to stop using their own devices. It’s just as unrealistic to foot the cost of buying and managing devices for every single employee (especially if your organization is larger). However, the productivity and efficiency gains that come with a mobile workforce are undeniable.
For many employees, simply being mobile can increase productivity by up to 34 percent, according to a Samsung-sponsored Frost & Sullivan survey. In another study, well-implemented BYOD policies have accounted for average company savings of up to $350 per employee per year.
Despite these advantages, protecting data has always been a cornerstone of healthcare privacy and security regulations. That task is almost infinitely more challenging when everyone uses their own devices. In multiple attempts to meet that challenge, 34 different state legislatures have passed a total of 63 bills designed to rein in the risks of mobilized healthcare.
A majority of the bills help define what telemedicine and telehealth entail, as well as standards to decide when either is appropriate. For example, in Arkansas, legislation now dictates that children in school can only receive telehealth services from their primary care physicians or from directly authorized clinicians.
Such legislation may or may not prove beneficial to healthcare security in the long run, but it highlights an important point: The issue isn’t really about whether you should allow BYOD; it’s about how you can make personal devices as secure as your organization’s network. The answer starts with these three tips:
1. Group employees into roles, and then define their access.
First, set rules around how much access employees need according to their defined roles. You can more easily manage access using role-based guidelines rather than defining access for each individual employee. This also helps eliminate instances in which employees inadvertently create vulnerabilities and increase their organization’s risk of an internal breach.
For example, well-intentioned gestures such as sharing passwords with co-workers so they can access health records could be controlled by restricting access according to roles. In a University of Phoenix College of Health Professions survey, 59 percent of nurses and 60 percent of administrators point to role-based access as one of the most effective ways to protect patient data.
2. Don’t allow devices that can’t be properly secured.
Along with insider breaches, hacking and IT incidents made up 37 percent of all healthcare data breaches in 2017. Most of these didn’t occur because of employee error; they occurred because of a failure to properly secure every device within the network. Therefore, the next step is to secure an employee’s device by ensuring it’s encrypted and locked.
A security PIN might be adequate, but biometric access such as fingerprint, face, or iris scanners can provide a much higher level of security. It’s harder to mimic biometrics than it is to guess a PIN, so any localized data will be better protected if the device is lost or stolen. This will require limiting devices to models that can support higher security measures.
3. Keep data off devices by using agentless software.
Most modern smartphones and personal devices come with a variety of biometric locks to safeguard the data they store. Yet you can guarantee that certain data is safe if a device is stolen by keeping data off the device in the first place. Agentless software allows a device to access programs and files without having to store them locally.
No matter what device accesses the data, it remains secure in the cloud or, in rare cases, within the organization’s server. IT security administrators can control access from within the organization, including restricting access for compromised devices. Organizations can rest easier knowing their data is safe, and employees don’t have to install intrusive software onto their devices.
4. If an app needs an agent, containerize it.
Some applications and programs need to be installed to be used, making an agentless approach impossible. For such applications, containerization is often the next best strategy. Containerization allows a device’s operating system to virtually isolate work-related apps from personal ones.
The contained apps cannot communicate with any other files or libraries on the operating system, so they can’t read any of the employee’s personal data. Likewise, employees can only use the device to access contained apps while within the organization’s network. Outside of work, containerization keeps the work-related data safely inaccessible.
5. Force encryption in every application that allows it.
So far, you’ve taken steps to ensure an employee’s personal device is as secure as it can be. However, human behavior and choices create variables where there should be none when it comes to securing your organization’s network. Use software and applications that allow you to automatically implement certain security measures so users don’t have to remember or guess.
For example, emails sent from within the organization can be forcibly encrypted whether or not the employee chooses encryption. Certain apps can demand biometric or PIN access even if the employee didn’t sign out properly after using it the last time. Wherever possible, make encryption and security automatic to eliminate the variables of human error.
6. Keep staff members updated by pushing reminders to their devices.
It might go without saying, but any good BYOD policy must be updated constantly to keep up with ever-advancing technology. Sound policies are essential, but few people remember the employee handbooks they’re asked to read on their first day. Likewise, BYOD policies will be easily forgotten without routine reminders.
You can also keep security fresh in employees’ minds by pushing updates and reminders through text and email. Routinely evaluate employees’ devices to ensure security measures are still functioning properly. Also, implement a process to make it easier for employees to add and remove new devices to avoid any security hiccups whenever they upgrade.
BYOD policies can seem like a huge challenge, but there are a plethora of tech options available that can help your organization regulate yours. Instead of leaving security up to device owners and opening up more holes into your network, limit the risk of a breach by letting technology secure your data as much as possible.
Founder and CEO of Paubox
Hoala Greevy is founder and CEO of Paubox, the leading provider of HIPAA-compliant email. Paubox’s end-to-end email encryption works on any device without requiring additional apps, plugins, or logins.