Question

Describe the technical approaches that healthcare organizations can use to support and manage the BYOD trend and explain how these can help them remain compliant with HIPAA security/privacy requirements.

Answer 1

1. Clarify BYOD Policies in Writing

It’s crucial to create a clear statement of your organization’s BYOD policy and share it with all team members. Neglecting to do so will create confusion among employees and could lead them to assume that it’s OK to use any device in a work-related scenario.

Your BYOD policy should answer the following questions:

• Who may use personal devices, and for what purposes?
• What types of data may be accessed from personal devices, and what types of data are explicitly prohibited for BYOD use?
• What types of data may be stored on personal devices?
• What network or networks may employees use to connect personal devices?
• Who is responsible for the secure management of personal devices? What authority does the IT team have to inspect and alter their configuration?
• Where should users turn with questions about the BYOD policy?

3 out of 5 Physicians who use personal devices for work when BYOD is not allowed

Source: Spok, “10 Facts About BYOD,” June 2018

Answering these questions clearly and authoritatively creates an environment where everyone understands what is (and isn’t) permitted. Even if an organization decides to prohibit BYOD, that stance should be communicated.

2. Configure Device Encryption

All modern mobile devices offer some form of device encryption. This technology is crucial to protecting the security of data stored on the device by rendering it unreadable to anyone who lacks the necessary password.

Implementing encryption on all mobile devices means that someone who comes into possession of a lost or stolen device can’t access its stored data, protecting sensitive information from prying eyes.

BYOD policies should mandate the use of device encryption on all personally owned devices and provide IT teams with the authorization to verify that encryption is in place on a regular basis.

3. Centralize Management of Mobile Devices

Most organizations already use a mobile device management (MDM) solution to control the configuration of corporate-owned devices.

It’s crucial to create a clear statement of your organization’s BYOD policy and share it with all team members.

4. Consider Containerization Approaches

Containerization technology, which creates a secure enclave for information, offers a different approach to mobile device security.

Put into practice, this looks like just another smartphone app. Instead of allowing users to interact directly with patient information on their devices, this approach enables them to access patient information securely using only the features of that containerized app. No data may spread to other features of the smartphone.

5. Create a Culture of Reporting

Healthcare IT teams implement a variety of controls to reduce the likelihood of security events, but the reality is that they do occur. Users may respond to phishing attacks, and practitioners could lose mobile devices and other media.

When an incident happens, responders must work quickly to contain the damage. The faster they can get to work, the more likely it is that they will be able to resolve the problem.