Is Your Healthcare BYOD Policy a Risk to Your Organization?

Health & Safety Security

BYOD policy trends in healthcare are taking off, but establishing best practices must be a priority to avoid the risks that come with flexibility.

With researchers predicting that cybercrime is expected to grow in 2016, you might expect healthcare organizations to start ditching BYOD (bring your own device) policies faster than last year’s business jargon — you’d be wrong.

The BYOD policy question is one that healthcare leaders in particular can’t afford to ignore. As healthcare moves out of fee-for-service reimbursement models and into an era of value-based care, more organizations will begin to focus on employee productivity, one of the key benefits robust BYOD policies have to offer.

This paradox leaves healthcare decision-makers in the challenging position of needing to find a balance between flexible device policies and practices that keep their patient information safe. This article will cover not only the most recent trends in BYOD practices, but also serve as an introduction to the process of creating an effective BYOD policy standards for your organization.

What BYOD Trends Mean For Health Care

Even in healthcare, BYOD has become the norm, so as 2016 unfolds, you can expect to see more mature adaptations of the concept across the industry.

One of the most important is the shift from BYOD being a privilege to it being a requirement. Gartner has predicted that by the end of this year, half of employers globally will make BYOD mandatory. That is in part because of cost savings, but it’s also to accommodate a modern work environment that heavily relies on disparate teams. With the advent of telehealth and team-based care delivery models, the flexibility required of today’s clinicians is a great reason to get them using their own devices (smartphones, tablets, laptops and wearables) in all areas of their work.

Additionally, healthcare is headed into an era of cloud computing and the Internet of Things (or Internet of Medical Things). This means that mobility and quick access to the amazing amount of data health care organizations produce will be key drivers of IT policy decisions. Since BYOD means more flexibility, it will be the natural choice for many in the industry.

The Biggest Question: Security

As usual, more flexibility means shakier security, which is why security should be a primary focus for any healthcare organization looking to implement a BYOD policy in responsible ways.

Make no mistake, even with all the advances that healthcare has seen in security, data breaches still leave patients vulnerable to identity theft, personal harm and damaged reputations if their protected health information is leaked. Organizations also stand to lose in the form of fines under the Health Insurance Portability and Accountability Act and state penalties, as well as monetary damages that result from a loss of trust from both patients and partner organizations within their care communities.

Healthcare IT departments face a spectrum of challenges that range from something as simple as a lost laptop to a full-on attack from cybercriminals. In between, they’ll face problems such as jailbreaking of devices by employees, software security update issues (again, an employee issue), adware and spyware, as well as the tricky question of cloud-based storage services like Dropbox or Google Drive.

Establishing BYOD Best Practices

To address these issues, healthcare IT departments will need to begin initiatives that involve all levels of their organizations in creating BYOD policies that keep information secure, but also mesh with the work and flexibility needs of employees.

BYOD best practices should start with your employees. They not only need to understand the risks of BYOD and the part they play in the system, but they also need to be properly trained on device use and security practices.

Next, organizations will want to ensure that they are enabling tech solutions that people will actually use. For example, if an email solution is too cumbersome, employees might default to their simpler, less-secure accounts (which are now easily accessible since they’re on their personal devices). Effective best practices will be designed to prevent this.

Additionally, IT leaders need to take mobile encryption seriously. Encryption is particularly important in keeping devices secure after they’re lost or stolen. Thankfully, there is a new generation of encryption technology (hardware security modules and “encryption at rest”) that doesn’t slow productivity the way earlier generations did.

Ultimately, according to Stoddard Manikin, MBA, CISM, CISSP, director of information systems security at Children’s Healthcare of Atlanta, strong BYOD best practices come down to answering simple questions. “[Organizations] need to decide, ‘What are we going to allow? What aren’t we going to allow?’… You need to start from there and then evolve.”

Megan Williams
Megan Williams

Megan is a B2B healthcare writer with 10 years experience in hospital consulting, over a decade's work in online content creation, and an MBA.