Perhaps no trend is more disturbing to IT managers and network administrators than bring your own device. The concept
of end users bringing personal devices into the office and using them to connect to various network resources would have been unthinkable just a few short years ago. Today, however, BYOD policies have become the norm, and users routinely access corporate data from personal devices inside and outside the office.
Any user who wants to access sensitive data from a personal device will have to consent to various security policies being imposed on it.
Healthcare organizations have had an especially difficult time coping with the bring your own device (BYOD) trend. Because of mandates under the Health Insurance Portability and Accountability Act (HIPAA), the industry is heavily regulated with regard to the ways information systems must be secured and maintained. The concept of allowing end-user-owned devices to connect to network resources containing sensitive data at first seems to be a direct contradiction to numerous HIPAA requirements. Even so, some healthcare organizations are actively embracing BYOD policies.
Things to consider before BYOD policies are established
When it comes to allowing the use of end-user devices in a healthcare organization, there are a number of considerations that must be taken into account and some questions that must be asked. Among them are these:
- Which users will be allowed to use their personal devices?
- Which resources will be accessible from those devices?
- How can the organization ensure that data and network resources remain secure?
- How will BYOD impact HIPAA compliance?
- What special policies need to be put in place before employee-owned devices can be used?
- How will end-user devices be supported?
- Will allowing employees to use their own devices do anything to increase operating costs?
The answers to these and other questions will vary from one healthcare organization to another. In addition, those answers will largely depend on the nature of your organization, and what your plans are for BYOD. Even so, there are a few things that you should be thinking about.
The first thing you should consider is that although HIPAA places numerous requirements on the way data must be handled, those requirements apply only to systems that contain or are used to access electronic protected health data. That being the case, you probably won't have to worry about HIPAA compliance if you have users who want to use their personal devices only to access email or other resources that are not specifically related to patient healthcare data. Depending on the nature of your organization, however, there probably will be some employees who want to use personal devices to access protected electronic health data. For example, doctors might like the convenience of being able to access patient records from a tablet. Needless to say, this type of access does pose a challenge with regard to maintaining HIPAA compliance. However, there are a few different things you could do that will keep both end users and the government happy.
One option is to provide specific users with company-owned devices. For example, if you have certain doctors who want to be able to access patient health data from a tablet, you might be able to provide those doctors with an organization-issued tablet that has been preconfigured with all the necessary security settings. Of course, this isn't exactly BYOD. Another option is to allow access to electronic protected health data only from the organization's wireless network. That way, doctors can use tablets on-premises to access patient health data, but you won't have to deal with the legal complexity of remote access.
Data security begins with server configurations
Regardless of who is allowed to access electronic protected health data, and from where, it's a good idea to configure such devices to run healthcare-related applications but not to store data. Data should always be centrally stored, either in the cloud or on the organization's servers. That way, if someone loses a mobile device, data isn't compromised.
Just because a mobile device doesn't contain any actual data doesn't mean you can get away with skimping on security, however. HIPAA very clearly states that most of its security requirements apply both to devices that contain electronic protected health data and to the devices that are used to access that data. That being the case, any user who wants to access sensitive data from a personal device will have to consent to various security policies being imposed on it. An example of such a policy is to protect a device with a strong password that will prevent someone from stealing it, turning it on and using an installed application to access patient health data that is stored elsewhere. Likewise, the device's storage should be encrypted to prevent the risk of cached data being exposed.
Allowing end users to connect to network resources using their own personal devices is a concept that should never be taken lightly. In a healthcare environment, however, administrators must be exceptionally diligent to ensure that HIPAA mandates are not violated when employees use their own devices.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals, and once was in charge of IT security for Fort Knox. Write to him at firstname.lastname@example.org or contact @SearchHealthITon Twitter.