I’m sure most of you know about BYOB, but do you know about BYOD (Bring Your Own Device). This is the term used when a company chooses to forgo issuing company-owned mobile computing devices (think smartphones and tablets), and encourages its employees to use their own personal mobile devices for business purposes. And in the healthcare context, BYOD has important implications.
For better or for worse, many companies have opted to institute a BYOD policy for a number of reasons. Here are just a few rationales for BYOD:
- Employees likely already have a smartphone or tablet or both.
- Allowing employees to use their own devices provides flexibility.
- Companies can save money by not having to buy and troubleshoot mobile devices.
- BYOD facilitates participation in the mHealth and telehealth movements.
Even the market trends illustrate that BYOD is here to stay as market adoption of smartphones is projected to increase to 68% by 2016, up from 12% in 2008. Importantly, there is also rapid adoption of personal mobile devices by physicians.
However, BYOD in the healthcare context can significantly increase risks related to protecting patient information, among other problems (e.g. malware and risks to patient safety).
I have heard countless anecdotes from healthcare companies that involve breaches of health information stored on smartphones that lack passwords, unsecured SMS texting of health information by providers, and even photos being taken of patients which are promptly shared through social media websites. These activities are shocking and can result in multiple violations of Federal (HIPAA / HITECH) and state privacy and security laws.
Even the U.S. Department of Health and Human Services, Office of Civil Rights and Office of the National Coordinator have taken notice of these issues and held a panel last April to address how to safeguard health information on mobile devices.
To avoid the liabilities arising from non-compliance with applicable privacy and security laws and regulations, healthcare entities should be proactive to implement some controls around the various devices floating around their organizations.
So what are some specific steps healthcare entities can take to address privacy and security risk in a BYOD environment?
- Survey the workforce to get insight into the use of personal mobile devices.
- Adopt a mobile device policy and implement related procedures.
- Periodically train employees on appropriate use of personal mobile devices.
- Require strong passwords.
- Encrypt personal mobile devices.
- Require enabling inactivity time out functions.
- Implement role-based access controls.
- Consider installing GPS location and remote-wipe capabilities.
- Turn off cloud backup capabilities.
- Sanction employees that violate the company policy.
- Conduct a risk analysis . . . AND MITIGATE THOSE RISKS!
Opting for BYOD does not necessarily translate to a total lack of control over your environment. Rather, healthcare entities should leverage enterprise support provided by personal mobile device manufacturers to determine the optimal mix of safeguards to employ to manage risks to patient privacy. Nonetheless, keep in mind that companies marketing personal mobile devices are more focused on end-user consumer needs/desires which can sometimes run counter to business needs.
Therefore, the success of BYOD hinges on a healthcare entity’s ability to assess risks in a BYOD environment, develop strategies to manage those risks, and employ reasonable tactics to carry out the risk management strategy.
- Member of the Firm