Creating effective BYOD policies for healthcare organizations

By Jonathan Crowl

| Healthcare

Even though it creates a more complex digital environment, healthcare organizations are eager to jump on the BYOD policies trend. According to a survey from Spok, 71 percent of healthcare leaders say that their employers allow some form of BYOD in the workplace.

But in an industry as data-sensitive as healthcare, businesses have serious security considerations to keep in mind. Those organizations are making a big mistake if they don’t have BYOD policies in place to regulate activity and protect against data breaches, compliance issues and other security considerations.

Building a BYOD policy is important for any company, but with the medical industry’s increased compliance and regulatory challenges, such policies are even more essential for healthcare organizations. Here’s a step-by-step guide to creating a BYOD policy that will serve any healthcare workplace well.

Lay out the case for acceptable use

As HealthITSecurity points out, mobile technology has a wide range of uses in the healthcare industry, from internal solutions that support doctors and nurses to external solutions that serve patients or even facilitate communication between healthcare providers and their patients. These solutions can improve the productivity of healthcare workers while serving the patient population.

 Download Gartner report on enterprise mobility management suites

To ensure proper mobile device management, organizations need to outline acceptable device uses for both business and work purposes. Companies should outline prohibited activities — which might include using social media or saving patient data to personal devices — to make it clear to employees what is and is not allowed use of their devices. This should be the first section in the BYOD policy, providing a general overview of what’s allowed and what’s off-limits in terms of using personal devices at work.

Define privacy and data ownership expectations

Healthcare organizations must ensure their use of technology does not put them out of compliance with a number of regulatory policies designed to protect patients and patient confidentiality. With that in mind, healthcare organizations should apply all rules regarding patient privacy and sensitive patient data to digital devices and apps just as they would for a traditional medical record.

Users should understand their data use is not private even when using a BYOD device, and that the healthcare organization owns all work-related data on their devices. Organizations should have IT and compliance professionals work together to create a policy to keep BYOD activities in accordance with HIPAA and other healthcare regulations.

Approved devices and device provisioning

Your healthcare organization might choose to limit the devices or operating systems that are allowed as BYOD solutions. If so, you should name these approved devices in the BYOD policy document, then periodically update the list as new devices hit the market.

This section of a BYOD policy should also lay out the requirements of provisioning and preparation that each device must go through before it can be connected to the company network. This configuration might require the installation of certain apps, upgrades to new versions of operating systems, bolstered security features or other changes designed to protect patient data and guard against a security breach.

Security policies for BYOD devices

Every company should create BYOD policies that establish the parameters for security features on mobile devices. This includes required security thresholds for individual apps and data in addition to device security. Policies could mandate password requirements, two-factor authorization, device lock features and remote wiping capabilities in case the device is lost or stolen. IT should choose security features that minimize vulnerabilities created by the use of a personal device, but these security layers also need to meet the minimum standards laid out by existing healthcare regulations.

Risks and liabilities section

This section of a BYOD policy will require employees to acknowledge some of the inherent risks they face using their own devices. It’s also the part of an organization’s policy where liability concerns will be addressed. For example, the liabilities section can make clear that the organization is not responsible for any costs related to the use of a personal device on company time, and that IT isn’t responsible for any data losses incurred while using the device for work purposes.

The risks and liabilities section should give the company full discretion to disconnect devices whenever they want, for whatever reason, and the company should give itself the right to punish employees for failure to follow any of the aforementioned BYOD policies. Given the sensitive nature of healthcare networks and the vulnerabilities misused devices could create, organizations need to give themselves veto power over any laptop, smartphone or tablet to ensure the protection of the entire network.

Each healthcare organization faces extra compliance hoops to jump through when enacting a BYOD policy, but the benefits are well worth the extra time it takes to build an effective plan that protects both the business and its patient population.