- BYOD adoption is just one of the increasingly popular mobile options that healthcare facilities are beginning to implement into daily workflow. There are numerous types of secure mobility options that can benefit various organizations. The key is to find a solution that will meet daily operational needs, not hinder clinician workflow, while also adhering to any federal and state privacy regulations.
So, how can an entity securely implement a BYOD adoption plan? Moreover, what other privacy and security aspects need to be considered to ensure that a BYOD policy is comprehensive and will actually assist medical personnel?
Administrative policies and staff training
All employees must understand how to use any adopted mHealth policies, including BYOD. This will ensure that a healthcare facility can make the most of mobile capabilities and also monitor for suspicious activity. Staff members need thorough training and need to know how the organization’s BYOD policies apply to their routines. Otherwise, it will be easier for something to be overlooked and information could be exposed.
Mobile device privacy and security awareness training must be periodically updated, especially as technology changes. Outdated policies are detrimental, but outdated training can be just as harmful. By shoring up outdated policies during yearly penetration tests, organizations can determine if there are any gaps in how employees approach mobile data security.
Staff training also ties into HIPAA administrative safeguards, which work hand-in-hand with technical and physical safeguards. Security technology can only go so far without the right policies and the proper documentation is necessary for those organizational policies to have any pull.
Proper workforce and training management is also cited by the Department of Health & Human Services as a critical aspect of administrative safeguards.
“A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI,” HHS stated on its website. “A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.”
MDM and authentication factors
Mobile device management (MDM) software and configuration can help ensure that an organization maintains control of protected health information (PHI) at all times. MDM software can also provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability.
Various authentication factors, including remote wipe capability can be essential for any BYOD policy. With this feature, organizations can permanently delete data stored on a lost or stolen mobile device. There is also a remote disabling feature, which lets organizations lock or completely erase data stored on a mobile device if it is lost or stolen. With this, if a device is later recovered, then it can simply be unlocked.
Strong passwords and data encryption for mobile devices cannot also not be overlooked. Healthcare organizations can also choose to set devices to limit the number of unsuccessful login attempts. Even with passwords and multi-factor authentication, data encryption is extra insurance that information is not easily accessed.
Applications downloading and storing data on a BYOD device should be able to protect that data. PINs or passcodes can be cracked, and an organization must ensure that the data is protected, whether it is in motion or at rest. When comparing encryption pricing and budgetary constraints to the types of heavy fines organizations face for an unencrypted device being breached, it’s difficult to see the logic in not encrypting data on physical devices.
Cater it to the organization
As different healthcare organizations would likely benefit from different types of mobile devices, it only makes sense that not all BYOD policies would work for every facility. It is essential that administrators take the time to conduct research and figure out what systems or technologies will benefit daily workflow, while also adhering to federal regulations and keep PHI protected.
Moreover, technology will only continue to develop, giving healthcare providers more options for communication and data storage. Organizations must find the best way to protect patient data without alienating users.