Are BYOD Policies in Healthcare a Mistake?

Is the convenience of BYOD worth the security risk?

“BYOD” stands for “Bring Your Own Device,” and its potential implementation is a conversation being had in many workplaces, schools, industries, and hospitals.

In theory, it’s an effective cost-cutting measure: everyone is walking around with an advanced, mobile touchscreen computer in their pocket at all times. Why not leverage that ubiquitous technology, all the while saving the business some money on buying medical tablets for every employee?

While BYOD policies sound great on paper, are they actually effective? Do they do more harm than good?

Personal Devices Are a Hornet’s Nest of HIPAA Violations

The greatest flaw in any BYOD policy is almost always security — how do you ensure that the phone a staff member carries at home, at work, and out to the club is protected? How can you guarantee that the employee is always logging out of work applications, especially if they take work home with them as part of their job? Lines become even blurrier, and confidentiality suffers.

Imagine a doctor or nurse snaps a quick picture of an injury on their cell phone for later reference or sends it to another clinician for a second opinion. Even if the patient consented to this, is the text message software secure? Is the receiving phone or device secure? What happens if either is hacked or stolen?

Are all pictures snapped by the phone automatically backed up to the cloud? Some users may not realize this happens automatically, depending on the phone’s settings. Is the staff member’s Dropbox or iCloud shared with anyone else? How encrypted is it? What other, non-secure device is the cloud service backing up to? A home computer, a bedside iPad, a husband or wife’s laptop?

Of course, this doesn’t just apply to images. Ask yourself all of these questions regarding a text or email about a patient’s condition or personal details to another clinician. Think about what note-taking software is being used on the phone, and where that’s stored. Some staff members may record their thoughts or case reports into a phone recorder app, which may be backed up to the cloud or other, less secure devices.

Does the user even have a password on their phone or tablet? According to the “Consumer Security Risks Survey” from Kaspersky Labs, only half (53%) of mobile users have a security solution installed on their smartphones. And 20% weren’t even aware that mobile malware existed.

Each one of these avenues is a potential HIPAA violation, which can cause an individual or a branch thousands of dollars in fines and potentially more in active lawsuits.

Consider the Liability

Mobile devices get stolen or misplaced all of the time. Unlike dedicated hospital medical tablets, a staff member’s personal cell phone or tablet is going home (or out) with them. And considering that 44% of smartphones were stolen in public places, and 14% from burglarized houses, the odds of losing their phone increase dramatically if they take it from the workplace.

If the device gets dropped or stolen at work, is the hospital liable? If the policy requires that staff bring their personal devices instead of using hospital-provided medical computers and medical tablets, there’s an argument that could be made. An argument that probably would be made, by an attorney.

Before implementing a BYOD policy, make sure employees know what’s required of them and what the liabilities are. Having employees sign documents that codifies this policy — to legally protect the hospital — will be job one.

Can Personal Devices be Managed by IT?

The IT department at a hospital or medical office (or, really, any facility or industry) performs a whole host of important jobs.

They maintain computer hardware and software, set up and manage the network, and ensure that data is protected and secure, just to name a few.

Devices that are officially owned by the hospital can all be managed with IT network software. Hospital or office-owned medical tablets are constantly under the watchful eye of the IT department. The IT team also keeps all device software updated to prevent bugs and known security breaches. They install anti-virus and firewall software on managed devices, and ensure that those programs are working and up to date.

Installing, troubleshooting, and maintaining all of these processes often requires that the tech have hours of access to the medical computer in question. With a BYOD policy, tech access to someone’s personal cell phone is extremely limited, if it’s even allowed.

Sometimes, due to liability concerns, the tech may have little to no access at all. This turns the individual user — a doctor or nurse — into the primary tech for their own device. And, unfortunately, many don’t have the time or aren’t up to the challenge.

This neglect or misunderstanding can lead to software patches not being installed and lax anti-virus maintenance, which can open up huge security holes for any device or network.

A SecureEdge Networks report indicated that as it stands, 80% of all BYOD devices are completely unmanaged by the IT team. Compare that to the standard practice of managing all medical tablets and computers in a facility, and the vast security gulf becomes more clear.

BYOD Policies Lack Standardization

Even with the proper policies in place, and a secure environment for users to log into confidentially, there comes the most frustrating feature of BYOD policies: lack of standardization.

The medical tablets and other medical touch screens purchased by the hospital typically come from the same vendor, and are running the same operating system and even use the same parts. This standardization allows IT to choose software and hardware peripherals that work with any device in the hospital.

With hundreds of unique personal devices, things get dicey.

While staff members may enjoy the familiarity of their own devices, that doesn’t mean productivity is necessarily increased across the board. When staff members have devices from a dozen different manufacturers, with different operating systems (on different versions, with different patches), trying to make software and communication work is no easy task.

Hospital apps, messaging services, and secure hospital data vaults have to be compatible with Android, iOS, Windows, and manufacturer-specific tablet OSes. Frequently used website portals must be compatible with Chrome, Safari, and half a dozen other mobile browsers.

And, most importantly, if there is a conflict, the IT department is responsible for maintaining access across dozens of different platforms and browsers. Assuming the policy even allows IT to maintain the BYOD devices, that puts a huge strain on the tech team.

To BYOD or Not to BYOD

According to an extensive study by the Ponemon Institute released in 2016, data breaches are a constant problem for almost every hospital.

In their study, they found that “nearly 90% of healthcare organizations…had a data breach in the past two years.” They then went on to report that “45% had more than five data breaches in the same time period.” Considering that the average cost of a data breach is somewhere upwards of $2 million dollars, the math speaks for itself.

BYOD policies are not without their benefits — they’re excellent short-term solutions, especially for facilities that don’t have the budget for as many dedicated medical tablets or computers as they need. BYOD has been known to boost morale, and when implemented properly can increase communication.

However, most of the studies that found this data looked at standard businesses who don’t have to worry about the stringent confidentiality and security requirements of HIPAA.

Still, with HIPAA violations costing companies like Anthem over $16 million, healthcare can ill afford to play it fast and loose with potential security breaches.

Contact Cybernet today to learn more about creating a secure network of purpose-built medical tablets and medical computers in your facility.