BYOD Policies Imperative in Protecting Sensitive Health Data
By Sara Heath
- BYOD is becoming an increasingly prevalent trend amongst healthcare providers -- as care coordination and health information exchange become important practices for providers, the use of personal devices is certainly growing. Because of this, healthcare facilities must ensure that they have strong BYOD policies in place as to prevent a security issue, a recent advisement says.
The advisement, written by lawyer Julie Brook of Continuing Education of the Bar California, asserts that employees are probably using personal devices for work purposes whether there is a policy in place or not. This is due to the increasing trend of increased care coordination and health information sharing. Mobile devices are also said to help aid provider efficiency because they are not tied to a stationary computer, allowing them to navigate the facility with ease. For this reason, Brook maintains that facilities should implement BYOD policies to preemptively protect against security breaches.
“Our greater connectivity and enterprise mobility has confronted employers with a wide range of issues: dealing with the loss or theft of mobile devices, data breaches, security maintenance, issues of discoverability in litigation, and separation issues,” Brook writes. Because of those data security risks, facilities need to spell out thorough guidelines for using personal devices in the workplace.
Some of those guidelines include:
Specifying what devices, operating systems, and Apps are permitted;
Banning use of “jail break” or rooting software not designed or intended for installation by the devices’ manufacturers;
Making clear who owns what Apps and data, including social media accounts used for business and marketing, such as LinkedIn™ and Facebook™;
Delineating how private personal information will be treated separately from work-related information (the personal and work overlap problem);
Asserting the employer’s right to monitor the appropriate use of devices;
Creating no expectation of privacy by the employee;
Addressing network security and access requirements;
Prohibiting or disabling the use of camera or video capabilities while at work;
Setting out the acceptable use and treatment of company data, including rules for the storage or transmission of proprietary information belonging to either the employer, its customers, clients, or third parties;
Delineating the roles and responsibilities of the employee and the employer’s IT department;
Allowing or authorizing the employer to wipe the device of all data, either remotely when devices are lost or stolen, or when a data breach is detected;
Revoking access when the employee terminates employment;
Addressing personal liability, including payment for and allocation of costs for data plans and other service charges incurred for use of personal or company-issued mobile devices between the employer and employee; and
Imposing restrictions on texting, e-mailing, and talking (without use of a hands-free device) while driving or engaging in other distractive activities.
As mHealthIntelligence.com recently reported, statistics show that security measures in BYOD policies are vital. According to a Caradigm infographic, 69 percent of physicians access patient information on a mobile device. This could potentially be linked to the 20 percent increase in criminal health data breaches which occurred between 2012 and 2014 that the infographic reported. Taking into account the increased occurrence of health data breach and the increased use of personal mobile devices to access health data, it is imperative that facilities take measures to secure mobile devices.
