How to create a BYOD program that addresses healthcare industry needs
Just as with every other industry where mobile devices start making an appearance, people want to stick with their own devices. It’s no different in healthcare. A 2015 Healthcare Information and Management Systems Society (HIMSS) study estimated that at least 85 percent of US healthcare professionals use their own devices at work. More recent HIMSS research found that 69 percent of hospitals provide a mobile-optimized patient portal and 37 percent use health technologies for remote patient monitoring.
Of course, where there’s BYOD, a hospital or practice also needs a BYOD program to manage compatibility and compliance issues and address the healthcare industry’s unique security needs.
Best practices for healthcare BYOD programs
Some of the best practices for a healthcare organization’s BYOD program are the same as for any organization, such as enforcing the use of nontrivial passwords with short timeout intervals, requiring password changes on a quarterly basis and focusing on the physical security of devices as much as protecting against online threats.
However, for hospitals and medical professionals, the complicated network of federal and state laws and regulations securing protected health information (PHI) requires a more assertive BYOD program. HIPAA and HITECH Act compliance means providing access to PHI and medical records to only those who need it and are approved to access it. The electronic channels through which PHI is shared must conform to their security standards.
For healthcare entities, this means doing the following:
- Requiring physical checks of devices by IT that verify encryption is enabled and all necessary security apps are functioning
- Implementing application layer firewalls and unified threat management to control access
- Maintaining detailed audit logs by all the BYOD devices
Implementing these types of security protocols means people can use their own mobile devices in the medical workplace but they have to register them with IT staff. Not everyone is going to want to do that. Hospitals can’t force employees to sign over access to their personal mobile devices. However, they can if that employee wants to use the device to access secure systems.
Otherwise, the employee should be free to use a work-issued, work-only device and be barred from using a personal device to access the hospital or practice network. This includes email and texting. Another issue healthcare organizations need to think about is managing doctors’ access to hospital systems through their own devices when doctors work at multiple hospitals.
Any healthcare entity that’s going to allow (or encourage) people to bring their own devices has to outline a detailed BYOD program and user agreement. Once it has its business policies and rules set out, it can start to investigate which mobile device management (MDM) technologies suit its needs. While it makes sense to roll out a BYOD program on a small scale to test it out and refine it, the hospital or practice also needs to keep in mind how large it ultimately wants to scale its program when selecting an MDM platform.
Where mobile BYOD devices are used
Healthcare providers can quickly and accurately conduct a range of clinical activities through their mobile devices. This includes ordering tests, assessing results and reviewing electronic medical records in real-time.
HealthITSecurity reported that the Joint Commission recently announced it is lifting its ban on clinicians using secure texting to issue orders. This should open the door for more extensive secure texting in the healthcare industry, such as for consults and texting between the patient and provider.
Additionally, BYOD plans have been implemented in more clinical trials. Mobile has been a useful advance in having patients in clinical trials self-report and provide monitoring for electronic patient reported outcomes (ePRO). Using a BYOD approach, clinical trials will no longer have to bear the expense of providing mobile devices to participants to take advantage of ePRO’s efficiencies and trial adherence gains. According to Outsourcing-Pharma, one clinical trial looked at how people living with Parkinson’s disease could manage their symptoms through an “application that included a mix of surveys and tasks that activated phone sensors to collect and track a patient’s progression.”
The greatest potential impact for BYOD in healthcare is in improving the quality of treatment itself. In addition to allowing quicker access to medical records and reducing costs for clinical trials, point-of-care tools and diagnostic aids, it also provides improved clinical decision-making by healthcare providers and improved health outcomes for patients.
Getting through the hard work of setting up a secure BYOD program may be well worth the effort — a concept medical professionals are quite familiar with.