The bring-your-own-device movement can't be stopped, but for HIPAA-minded health care CIOs who must secure their networks against data breaches, personal devices must be contained via a BYOD policy.
In SearchHealthIT's virtual trade show presentation "BYOD for Healthcare: The Good, the Bad and the Ugly," John Halamka, M.D., CIO at Beth Israel Deaconess Medical Center (BIDMC), shared some of his experiences implementing BYOD policies for the hospital. He also offered some tips for attendees in the process of crafting or refining their BYOD policy.
More BYOD analysis
What steps must be taken to integrate mobile health devices within an organization? Join the Health IT Exchange discussion.
Ten iPad EHR security strategies for HIPAA compliance
"My experience overseeing 3,000 physicians and 12,000 employees is that BYOD is here to stay," said Halamka, adding that while it's a tough and potentially expensive row to hoe security-wise, employee-owned smartphones, tablets and notebooks can contribute positively to productivity, quality and safety in health care.
BYOD security issues are so vexing because it's not just a problem, it's a paradox. "I see that not only do people have one device, but they have two and maybe in the near future, three or more," Halamka said. "CIOs have limited authority but infinite accountability."
There is no one-size-fits-all approach or technology control for securing all mobile devices on their various operating systems (such as Android, iOS, and the various flavors of Linux and Windows), Halamka said. Furthermore, it's difficult to manage an employee user base whose technology savvy varies. Compliance on each individual device is a moving target: Employees are constantly upgrading their devices and operating systems.
CIOs have limited authority but infinite accountability.
But based on what has worked so far at Beth Israel in its constantly evolving efforts to secure mobile devices, Halamka offered the following ideas that health care providers shaping their own BYOD policy should consider:
- Plan first for mobile device malware, specifically those employing screen-scraping and keylogging, especially on laptops that employees use both at home and work. The problem is that policy isn't enough, yet state-of-the-art mobile device management software can cost $50 to $100 per device, an untenable budget number for many health systems. Mixing a little policy with a little control is how to start, and hoping the combination -- policy compliance by employees coupled with technology controls -- will prevent breaches.
- Start with a policy requiring "nontrivial password" protection of access to patient data. Add time-out periods that require the password to be re-entered. At Beth Israel there's a third policy prong that isn't popular among employees who store personal data, such as family pictures, on their devices, but they do it anyway: After 10 incorrect password attempts on a device credentialed for the network, its content is remotely wiped. That means employees should keep devices they use for work away from small children who innocently click around touchscreens or laptop keyboards.
- Always encrypt protected data. Don't be lulled into thinking this is foolproof on smartphones and the only protection needed, either, Halamka said. Know how native encryption works for the devices your policy will support. Encryption keys for the iPhone, for example, reside on the device itself, making it akin to locking your house but "hiding the key under the doormat," he said. But it's effective enough that BIDMC's policy includes a six-month password change coupled with an encryption attestation requirement so the hospital knows employees are complying with this piece of policy. Attestation happens at what he calls "encryption depots," where employees give their personal devices to IT staffers, who check them to make sure that encryption's enabled.
- Disable unneeded device services and wireless interfaces (for example, Wi-Fi and Bluetooth) when they're not in use.
- Monitor and keep antivirus software updated on all devices -- even though, Halamka acknowledged, it isn't as effective as it used to be, considering new computer viruses that self-mutate and stay ahead of some antivirus software.
- Don't downplay the importance of physical controls in your policy, such as requiring that employees keep laptops under lock and key when they're unattended, both at home and at the office. Employees also should keep phones on their person or locked, and computers in trunks, not in passenger compartments when their car is unattended, and so forth.
- Have a theft-reporting procedure in place so stolen devices can be tracked, wiped or otherwise dealt with as quickly as possible.
- Don't forget device disposal rules that seal off the network from predators sifting through the trash.
"Disposing of a device appropriately is important," Halamka said, "because the last thing that you want is a device with personal or patient-identifiable data ending up in a landfill where somebody retrieves it and a privacy breach occurs. We've all heard about issues of devices, hard drives, backup tapes and other things ending up in landfills, and patient privacy being threatened."
This was first published in October 2012