Posted by: Jenny Laurello
Bring your own device, BYOD, Data security, HIPAA, mHealth devices, mobile health, PHI
Guest post by: Edson Monteiro, President, Sentinel Digital Systems
The market for smartphones and tablets are rising at an unprecedented rate, and with that increase the amount of employees accessing sensitive corporate information from their home computers, smartphones and laptops increase as well. We’re currently seeing a shift in corporate attitudes toward personal devices in the work environment. Many companies now embrace these technologies, when just a few years ago they did not allow non-standard unmanaged devices. According to a survey performed by security company Sophos, as much as 49% of employees said that their company allows them to use their personal devices for work. In the health care field, more than 81% of physicians use a smartphone, which is a 9% increase from 2010 according to Manhattan Research.
How HIPAA applies to BYOD
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 authorizes and mandates a broad set of regulations requiring Healthcare Organizations (HCOs) to address privacy and security concerns related to health care data. In order to meet HIPAA compliance with BYOD, health care providers are asked to:
- Protect their private data and ePHI on personal-liable (BYOD) mobile devices;
- Encrypt all corporate email, data and documents in transit and at rest on all devices ;
- Remotely configure and manage device policies;
- Apply dynamic policy controls that restrict access to certain data or applications;
- Enforce strict access controls and data rights on individual apps and services;
- Continuously monitor device integrity to ensure PHI transmission;
- Protect against malicious applications, malware and cyber threats;
- Centrally manage policies and configurations across all devices;
- Generate comprehensive compliance reporting across all mobile devices and infrastructure.
Being able to use your own device at work tends to increase employee happiness. The idea is: BYOD will save money because the employees will be using their own devices and thus take better care of them since they are financially responsible for them.
Physicians enjoy the expanded care continuum for which mobile devices allow –using their smartphones to communicate with each other via text messages or webmail — because it’s quick and easy. The greatest benefit, however, is that it’s portable thus allowing access to data from virtually anywhere that has an Internet connection.
Cons of BYOD
Unfortunately, the increased use of mobile devices in the health care industry puts patient data at risk. Allowing personal devices into an organization’s network opens up a door for increased risk of data loss. Users fail to use basic security practices such as strong passwords.
Meeting regulations poses another challenge as well. Although BYOD might provide immediate savings, it could cost much more in the long run. Most physicians have programs that will encrypt their messages, but due to lack of technical knowledge and unease, they often opt out of using such applications, putting themselves in direct violation of HIPAA rules.
Besides the user flaws in security, there are also mobile malware and Operating System security flaws that must be addressed. The greatest drawback of BYOD stems from its greatest benefit: portability. Being that mobile devices are easy to move and travel with, they are also easy to lose and be stolen. The number one cause for data breaches is theft of devices, according to the US. Dept of Health & Human Services.
Meeting HIPAA compliance with BYOD
In order to meet compliance there are several things that must be done, and continuously implemented.
- Educate employees and other physicians on the risks associated with BYOD;
- Provide training on use of encryption application;
- Conduct a comprehensive risk analysis;
- Create and enforce BYOD security policy;
- Use Mobile Device Management (MDM).
MDM software allows organizations to protect data on any device in any location. Some of its features include remote wipe of data on lost or stolen device, encrypt email and data on devices, manage policies and configurations that block access to sensitive data and block devices from downloading applications that do not meet policy requirements.
Different software offers different features including back up and A/V. Yet when searching for a MDM software solution it is recommended you do research first. Additionally, choose a solution that fits your individual business needs that supports multiple mobile platform operating systems. Different employees prefer different brands, thus your software must be able to handle them all.
Is it a thorn or is it thriving?
I was once told that a machine is only as useful as the person operating it. The same is valid for technologies that are meant to protect the mobile devices. While many breaches occur due to lack of basic security practices, lost and stolen devices also present one of the most prevalent threats to the security of PHI. Strong passwords, data encryption, security patching and continuous user education can help prevent most data losses.
I believe that through proper policies on BYOD, personnel responsibility and technical safeguards, the trend of BYOD is at a time to thrive. However, if employees or physicians fail to follow the policies set, BYOD will be a costly thorn in their side, facing HIPAA violation consequences.