There are several things that hospitals can do to mitigate the risks associated with healthcare BYOD strategies.
- The bring-your-own-device (BYOD) debate continues to rage in healthcare organizations across the business landscape.
By using this strategy, hospitals and employees are able to use the latest technology with limited expenses and a low learning curve, because healthcare staff already know how to use their personal devices. However, it can open the door to security concerns and potential data hacks or leaks due to careless actions by workers outside of the office.
For example, if a doctor or nurse has an application on their personal smartphone to access patient electronic health records (EHR) and accidentally leave it at a restaurant after a night out with friends, whoever picks it up could potential access all of that patient information. Trouble can also arise if, while using the smartphone for personal tasks, an employee were to unknowingly download a virus or malware, which could then affect work applications or the entire network.
While there are clearly risks to a BYOD approach, many hospitals and healthcare facilities are embracing it. To do so successfully, however, healthcare organizations need to make sure they are taking precautions.
Tara Cho, an attorney at Poyner Spruill, recently penned an article that looked at the compliance risk that is associated with BYOD in the healthcare field.
“There is no quick and easy remedy to completely eliminate all risks associated with the use of mobile phones, particularly employee-owned devices,” Cho wrote. “However, there are steps that can be taken to minimize those risks while allowing the use of mobile technology to provide enhanced and continuous care to patients.”
Cho continued to lay out four specific things that healthcare facilities need to focus on. These include:
Permissible uses - A specific and straightforward set of rules for what users are allowed to do and what they are not. Employees need to know if they are able to transfer information, access patient data and communicate with patients through their devices.
Security controls - Much like permission, there needs to be a straightforward list of security controls. This includes guidelines for passwords, up-to-date malware protection, encryption, authentication and more. Employees need to know what security features are mandatory to use their own mobile devices.
Training and sanctions - Employees need to be on the same page and required training can be a perfect way to ensure that. Assuming that all staff members understand the security risks can lead to trouble. This is also when clear sanctions for failing to follow the guidelines should be expressed.
HR policies - The policy and procedure in place for BYOD strategies need to adhere to employment law considerations, especially when it comes to the removal of data following the exit of employment.