News Feature | March 16, 2015

Keep BYOD From Becoming A Liability

Katie Wike

By Katie Wike, contributing writer

BYOD

BYOD policies are great - as long as they don’t interfere with workflows and patient care. Now, HealthIT Security experts give tips to for keeping BYOD from becoming a problem.

How can providers balance BYOD policies with patient care and workflow? Jeffrey Wilson, Director of Information Services, Assurance and IT Security at Albany Medical Center told Health IT Security it’s difficult because of the variables involved.

“As you look at where we’re at in terms of technology, information, information security, and the healthcare landscape in general, the one thing that we can’t engineer for is people,” Wilson said. “There are no controls that we can put in place.”

Fierce Mobile Healthcare reports healthcare organizations must have a proactive approach if BYOD is going to be successful. It’s important to start your BYOD policies early and include employee training as well as device security.

“The privacy and security concerns are that if we’re not quick enough at providing secure ways for people to operate and behave, they’re going to find ways to use the technology to go around our approved methods,” Wilson said.

The fear is, that if healthcare organizations don’t provide technologies that people want to readily adapt they will use methods they prefer. For example, employees may start using personal email accounts to conduct business or share information and files through unsecure channels. “The challenge for us is to find ways to enable all that behavior in a way that they’ll use, but in a way that we know is secure,” Wilson said.

Employee training needs to be specific. For example, employees must understand device use policies as well as data protection protocols. Rules for email, image storage, sharing data and patient insight communication need to be clearly defined.

Encrypting technology is key for mobile devices which can transmit protected health data. “The only way to [address the Security Rule] is use the risk analysis and understand how and where people are using PHI and if they’re using mobile devices,” Daniel Bowden, Chief Information Security Officer for the University of Utah, University of Utah Health System told Health IT Security. “Those devices need to be encrypted in order to protect the data. The encryption is a critical tool.”

Providers need to make sure their employees are aware of BYOD policies and that these policies cover everything from email and calendars to mobile phones and tablets. “You just need to decide, ‘What are we going to allow? What aren’t we going to allow?’” Stoddard Manikin, MBA, CISM, CISSP, Director of Information Systems Security at Children’s Healthcare of Atlanta said. “You need to start from there and then evolve.”

“You don’t want to tell people, ‘No you can’t do that.’ You don’t want to be the one saying no, because they’ll end up just going around you,” Wilson said. “What you want is to find a way to create policies and procedures that people can tolerate so you’re seen as an enabler and not a preventer.”