Opinion: Is your clinic prepared for BYOD?
In a professional sector where security is essential, bring your own device (BYOD) is surprisingly common in healthcare, with staff members using their own portable devices (whether tablet, smartphone or laptop) to perform work-related tasks.
With hardly a week going by without a news story involving a high-profile data breach where customers’ personal and financial information are compromised, this can be an even more worrying scenario for healthcare professionals, given the importance and sensitivity of electronic health records and related billing information.
In general, BYOD adoption is driven by medical professionals seeking to improve efficiency and not by IT professionals who recognise the risks involved if BYOD is not introduced in a way that secures data. Medical professionals, quite rightly, focus on patient care and leave security concerns to their administrators and IT teams.
In traditional companies, BYOD introduction is formally launched by an executive team that consists of legal, HR and other involved departments. A HR policy is drawn up that employees must agree to before being allowed to use their device on company networks.
In effect, the employee is granting the company access to their personal device, to install partitioning software (which segregates personal data from business information) and other apps that allow remote wiping of data if the device is lost, stolen or if the owner leaves the organisation.
If remote wiping is necessary, personal data is sometimes lost, hence the necessity of a HR policy.
For healthcare facility owners, practical steps for safe BYOD implementation should include:
- Creation of a BYOD policy that involves all department heads
- Generating a list of approved devices and users
- Create a back-up and disaster recovery process for each device and verify that it works
- Installation of partitioning software on each device that allows separation of personal and business data
- Installation of latest patches and security updates: IT should have remote access to the device, including the capability for remote wiping if the device is lost or stolen. Regular maintenance is also necessary
- Installation of software that protects against viruses, malware and other security threats
- Ensure that all devices are password-protected
- Provide security training to staff members, highlighting the main avenues of attack used by hackers
- Ensure that all devices are insured adequately
- If devices are replaced, securely remove data. It is important to remember that this only applies to business data as staff may have family photos and other data on the device.
BYOD costs can vary, with some companies supplying the devices to staff members and others happy to allow staff members to use their own. In addition, some offer a shared ownership-type facility where costs are shared.
Regardless of the payment method, most businesses will insist on approved manufacturers or platforms – some are more comfortable supporting Android devices while other prefer Apple devices.
Therefore, staff members need to:
- Remember that only approved devices are suitable for business use
- Carefully read the BYOD policy, as it will outline terms for the business and device owner. If the terms seem unsuitable (remote wiping, for example), do not use your device for business
- Be aware that by using your own device, you are giving administrator control to a third party
- Report loss, theft or replacement of device so that IT can remove data from it
- Refrain from deleting business data, just in case it is required in the future. In a world where e-disclosure is increasingly common, this is the safest approach
- Use secure connections when accessing data – avoid using free Wi-Fi hotspots to reduce data breaches.
In addition, there are legal concerns. In the event of a court order requiring e-disclosure (known as e-discovery in the US), an employee is compelled to surrender their personal device for forensic examination and extraction of required company data.
While the area of e-disclosure is relatively new in Australia, it is worth noting that US employees who have destroyed company data have paid substantial damages as fines were levied against both the company and the employee involved, even though the device was personal property.
The same logical approach to BYOD introduction is advised for healthcare, in addition to compliance with local legislation. It is best if data does not reside on the device but instead located in the cloud or a secure local server, for example. Access levels are determined by role, with senior-level staff having corresponding access permissions.
A casual approach to BYOD is a recipe for disaster and clinics should investigate their options, hiring outsourced solutions where necessary to recommend the best approach for their clinic. Compliance tools, security software, document management strategies and disaster recovery tools are identified in advance.
Perhaps the single most important aspect of BYOD is the creation of a comprehensive yet adaptable policy that meets the requirements of the business and also of staff members. Information that is unwittingly leaked by a staff member, for example, will see patients moving to other clinics, ones that value their health records and protect them diligently.
Rob Khamas is an eHealth solutions strategist with REND Tech Associates.
Posted in Australian eHealth