popyconcept - Fotolia


Healthcare BYOD policy includes MAM, identity management

Allowing employees to use their own devices for business purposes offers flexibility and convenience, but hospitals must take appropriate measures to secure health data.

Mobile devices have gone beyond consumers and are in the hands of employees to be used for day-to-day work activities. In healthcare, this introduces the convenience of having access to hospital data related to patients and other line-of-business applications. The widespread use of smartphones and other mobile devices has raised security concerns and risks -- especially for organizations that have a BYOD policy.

Since allowing users to bring their own mobile devices offers convenience to end users and IT, it is fair to say that it is becoming a popular trend in many organizations. BYOD offers flexibility to end users by eliminating the need to have multiple devices. It also allows IT to offload the management of phone plans, devices and day-to-day requests surrounding the devices since each user will rely on their personal mobile phone service provider. Despite the advantages of BYOD, IT must ensure that the data these devices access is protected. As a result, many hospitals are taking the appropriate steps to ensure that they have a healthcare BYOD policy in place.

Preventing attacks through end-user education

While many of the recent attacks targeting healthcare have been directed at computers and servers as a means to infiltrate the network, mobile devices remain just as vulnerable. Hackers can infect a mobile device and steal passwords to gain access to sensitive data. One of the best ways to prevent these attacks is to educate end users about the appropriate preventative measures to avoid malware, viruses and ransomware. To achieve that, IT departments have been actively training their end users on what to look for in email messages, apps and websites in order to stay protected.

Protecting data through mobile application management

There are many popular tools available in the marketplace that assist IT in locking down mobile devices. These mobile device management tools ensure that each managed device adheres to specific policies around encryption, passcodes and network access. With a BYOD policy in place, taking control of the device may not be a desirable option for the owners of the devices. IT would also still be responsible for managing and protecting the data that is being accessed from the device. As a result, new tools have been introduced to help IT manage and place controls on the applications being used to connect to their healthcare data and ensure its protection. These tools are part of mobile application management (MAM) platforms that can containerize sensitive information and shield it from the rest of the apps on the mobile device.

Requiring a basic security policy

For those organizations implementing BYOD in their environments, imposing a set of minimum requirements on the mobile devices in use by their end users is still advisable. When end users agree to the terms of the healthcare BYOD policy, it should include terms that can impose some basic commonsense safeguards for them to have in place to help protect their devices and data. Examples would include the use of passcodes, not jailbreaking or rooting the device and installing antivirus software on the mobile device.

Managing access controls and monitoring identity

One of the risks associated with healthcare BYOD is the potential for data breaches and credential theft. To mitigate those risks, it is highly recommended for IT to put checks and balances in place to look for abnormal login attempts from unknown sources or risky IP addresses. It is also best practice to restrict access to must-have data and control what mobile users can see to prevent a larger data breach if their device is compromised. Many identity management tools provide early detection capabilities to proactively avoid serious security incidents.

Implementing conditional access for further protections

Access control rules can also help IT manage who can access data and from where. As part of many identity management tools and MAM, IT can set specific rules that restrict access to apps and data to certain locations or only from within their facilities. This practice ensures that only the mobile devices that are connected to approved networks can gain access to the hospital data.

Controlling apps remotely

One aspect of managing and controlling healthcare BYOD is how to handle apps and data when the end user is no longer allowed to use an app or if the device is lost or stolen. Since the device is not technically being managed for BYOD, IT's only option is to disable the user's access to the mobile apps or to perform a selective remote wipe of the app. Many MAM tools offer this feature. This ensures that, even if the device falls into the hands of nonauthorized users, the data on it is still protected and can be removed as well.

With the highly mobile workforce in healthcare and the demand for constant access to data, it is far more convenient to empower users to bring their own devices. It is also equally challenging to ensure the security and protection of the healthcare data those devices access. The healthcare BYOD practices highlighted above can be a starting point for IT to consider but should always be expanded to meet the specific requirements and unique needs of a healthcare organization.

Next Steps

Mobile devices will one day integrate seamlessly into healthcare

Mobile devices in healthcare still face challenges

Healthcare providers increase efforts to secure mobile devices

Dig Deeper on Mobile health systems and devices