Sep 05 2019

5 Strategies for Implementing a BYOD Policy in Healthcare

Before allowing employees to use their own phones and other tech on the job, take the following precautions.

Nearly three-quarters of hospitals allow some sort of BYOD policy, according to a 2018 infographic by healthcare communications company Spok. That’s a 22 percent increase from the previous year.

Implementing a BYOD policy — which allows clinicians, administrators and other staff members to use their personal devices to interact with hospital resources in some manner — can boost cost savings and convenience.

But the approach also presents challenges for organizations of all sizes, notes the Healthcare Information and Management Systems Society, which urges hospitals also to identify the shortcomings of a BYOD arrangement.

Consider the following five commonsense mobile security strategies that offer key BYOD benefits and protect sensitive patient information.

MORE FROM HEALTHTECH: Find out how collaboration tools bolstered innovation for Optima Healthcare Solutions.

1. Clarify BYOD Policies in Writing

It’s crucial to create a clear statement of your organization’s BYOD policy and share it with all team members. Neglecting to do so will create confusion among employees and could lead them to assume that it’s OK to use any device in a work-related scenario. 

Your BYOD policy should answer the following questions:

  • Who may use personal devices, and for what purposes?
  • What types of data may be accessed from personal devices, and what types of data are explicitly prohibited for BYOD use?
  • What types of data may be stored on personal devices?
  • What network or networks may employees use to connect personal devices?
  • Who is responsible for the secure management of personal devices? What authority does the IT team have to inspect and alter their configuration?
  • Where should users turn with questions about the BYOD policy?

3 out of 5

Physicians who use personal devices for work when BYOD is not allowed

Source: Spok, “10 Facts About BYOD,” June 2018

Answering these questions clearly and authoritatively creates an environment where everyone understands what is (and isn’t) permitted. Even if an organization decides to prohibit BYOD, that stance should be communicated.

2. Configure Device Encryption

All modern mobile devices offer some form of device encryption. This technology is crucial to protecting the security of data stored on the device by rendering it unreadable to anyone who lacks the necessary password. 

Implementing encryption on all mobile devices means that someone who comes into possession of a lost or stolen device can’t access its stored data, protecting sensitive information from prying eyes.

BYOD policies should mandate the use of device encryption on all personally owned devices and provide IT teams with the authorization to verify that encryption is in place on a regular basis.

3. Centralize Management of Mobile Devices

Most organizations already use a mobile device management (MDM) solution to control the configuration of corporate-owned devices. 

BYOD policies, then, should extend this protection to personal devices used on corporate networks or to access patient information. The policy should require that any device be added to the MDM system before it can be used for business purposes.

MDM allows administrators to secure devices in several ways. Beyond ensuring secure configuration settings, MDM may also be used to require device encryption and to remotely wipe data from lost or stolen devices.

MORE ON SECURITY: Tips to hack your healthcare security strategy. 

4. Consider Containerization Approaches

Containerization technology, which creates a secure enclave for information, offers a different approach to mobile device security. 

Put into practice, this looks like just another smartphone app. Instead of allowing users to interact directly with patient information on their devices, this approach enables them to access patient information securely using only the features of that containerized app. No data may spread to other features of the smartphone.

This approach is more technically complex than other BYOD approaches, and it may compromise user satisfaction, but it also provides added security that gives technology leaders peace of mind.


5. Create a Culture of Reporting

Healthcare IT teams implement a variety of controls to reduce the likelihood of security events, but the reality is that they do occur. Users may respond to phishing attacks, and practitioners could lose mobile devices and other media. 

When an incident happens, responders must work quickly to contain the damage. The faster they can get to work, the more likely it is that they will be able to resolve the problem.

Prompt response requires prompt reporting, however. This is why leaders should foster a culture that eschews blame and seeks to achieve continuous improvement by conditioning practitioners to report cybersecurity incidents, particularly when they affect a BYOD device.

Stígur Már Karlsson /Heimsmyndir/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT