BYOD and HIPAA – the good, the bad, and the ugly
BYOD (Bring Your Own Device) has grown steadily over the past few years, and it is showing no signs of slowing down anytime soon.
Devices are able to perform tasks far beyond calling and texting, with healthcare professionals now having access to patient data such as electronic medical records (EMRs), results, pharmaceutical information and a fast and flexible way of communicating with their colleagues via numerous messaging applications.
A recent survey of senior IT professionals conducted by Wisegate, revealed that 32 percent of respondents named data breaches and malware as their top threats and risks to their organization. More than half included not only data breaches and malware, but also insider and outsider threat, BYOD management and security as being the highest risk.
The conundrum of how to maintain an effective and risk free way of managing BYOD is increasingly becoming a headache for healthcare IT professionals, especially when it comes to HIPAA.
Ensuring HIPAA compliance on devices owned by the organization is one thing, but BYOD opens them up to new risks. Our VP Technology and Compliance Officer, Gene Fry, provides a rundown of the good, the bad, and the ugly side of BYOD.
BYOD provides staff with a flexible way of working as they can do so from anywhere at any time. It streamlines the communications process during an emergency if someone is out of the office.
It could also be argued that BYOD increases productivity – if users are familiar with their own device already the company saves time in having to educate them on how to use it, this in turn makes them less reliant on IT departments. Employees can also configure their devices to suit the way in which they work. With no restrictions as to how the devices are set up, employees are able to use the software and apps that they feel help them to perform their job functions most efficiently.
According to a report by Gartner, BYOD can save organizations money when it comes to acquisition costs, however, it’s worth bearing in mind that these savings aren’t ongoing.
Although there may be savings initially, the matter of who is responsible for payment when a device requires a repair or user support can be problematic. In addition to the costs involved, determining who is responsible for support and repairs presents another issue with BYOD.
Privacy is important for the owner of the device, but equally, organizations need to maintain some level of control over the data stored on employee-owned devices, especially when it comes to HIPAA compliance. Accessing devices to conduct audits may be considered intrusive, but ultimately, it is necessary. This may prove to be troublesome for staff who want to keep personal information separate from their work lives, particularly when a number of apps they use have the potential to be used for both.
Device compatibility can also be an issue. Software developed for one platform or Operating System (OS) may experience compatibility problems, or may not be available at all. Software and apps may also malfunction on devices after updates, or if not updated frequently enough.
Staff who work at multiple locations may be subject to different policies. They could be using separate health systems, alternate technologies and different software to communicate with staff or manage ePHI, creating issues when it comes to conducting HIPAA audits. While it is appropriate for a physician to share a patient’s data with a covered entity or business associate that deals with their care, this data is unlikely to warrant being seen by other organizations that have no right or need to see this patient’s information. Segregating this data when auditing a device could be a challenge.
BYOD can reduce productivity too. Users have a myriad of apps at their disposal as well as the ability to browse the web and access social media. With nobody monitoring how they are using their device day-to-day, there is no guarantee that a member of staff isn’t playing Candy Crush and checking Facebook when they should be working!
Monitoring and auditing employee owned devices presents huge challenges. This issue goes way beyond monitoring how employees are using their time spent on what is effectively a personal device.
Not only can users put ePHI at risk by downloading whatever apps they choose, they could visit sites that contain malware and other viruses, access the internet over unsecure connections or perform hacks and jailbreaks on the devices to access apps and platforms that have not been approved.
Employees who are given free reign to download apps and software that is not approved leaves organizations open to breaches – probably without the employee even realising it. The fact that employees may download and disable or delete applications from their device at will further impacts this problem, and can make a breach harder to trace.
Transmitting and storing ePHI on devices that do not meet HIPAA rules is another huge issue. With loss and theft of devices reported as the most common reason for data breaches, being in possession of a device they think of as theirs may make them less aware of the sensitive information it contains, plus it is likely to be taken everywhere with them rather than being left in a locked office or drawer at the end of a working day.
The necessity of remote wipe functionality presents further privacy issues. Wiping employees’ own devices remotely can cause a serious ethical dilemma with the risk of harming employees’ privacy.
Employees using weak passwords to protect their device and the data stored within applications leaves organizations vulnerable, and not using encryption, even when mandatory, is another area of security that is difficult to enforce and control.
BYOD best practice
Developing a robust BYOD policy is crucial before allowing users to access company networks on a personal device. Additionally, organizations should:
- Ensure that staff are fully aware of what apps and software are not permitted on their device
- Check that employees are using a strong password for the device and all applications, and that passwords are changed on a regular basis
- Encrypt devices and have a method of remote wiping the device should it be lost or stolen
- Perform periodic audits to identify any security issues or apps not approved for use
- Set criteria for levels of access to infrastructure and systems for each employee
- Use multifactor authentication when accessing apps that are used to manage or store sensitive data
- Train employees on cyber-security best practices
- Update security software on BYOD devices