3 Factors Essential to HIPAA Compliant BYOD Policies
On June 8, 2015, the mobile technology company InCrowd surveyed 241 nurses and found that around 202 (83%) use smartphone apps in daily nursing work. 73% used their smartphones to find drug information, 72% to find information on diseases and disorders, and 69% to communicate with colleagues.
Despite the unavoidable problems with traditional network security, many hospitals and information technology (IT) departments are relying on the exact same methods to try to manage mobile devices. Rather than relying on traditional methods, it is advisable to create BYOD policies.
Here are three important factors for building your BYOD policy to protect PHI:
1. Secure Your Network
Focus on controlling access to PHI and using appropriate authentication factors as a safeguard. Examples of ways to do this include:
• Consider a VPN or Mobile VPN network to protect data instead of a wide open internet connection
• Block access to social media to prevent data breaches from employee use
• Double down on authentication methods and use more than just a single password for access to the network
2. Decide Whether You are Supporting Mobile Devices
If you allow the use of personal devices during patient care, consider offering a list of devices that the IT department support in basic troubleshooting so that providers can access any necessary applications or information in the course of their work days. Additionally, encrypt stored information in personal devices that you support.
If your IT department decides to use Mobile Device Management (MDM), then supporting these devices is not a question, it is a must.
3. Create a Culture of BYOD Compliance
It is not enough to solely lock down the technical side of personal devices in the healthcare environment. Systems should educate staff on their BYOD policies and promote a culture of compliance and safe technology practices. Staff should understand when it is appropriate to use a device and when it isn’t. Think about how policies will be implemented and enforced:
• How will you educate staff on the policies?
• What happens if someone violates a policy?
• Is there a rollout phase that is more lenient than final penalties?
• How will you address data breaches from personal devices on the hospital network?
Finally, how does your BYOD policy comport with your social media policy? Why are BYOD policies necessary? Based off of the InCrowd survey, if you have 1000 nurses, then around 830 use their smartphones during their course of care for various patients. Data breach studies show that malicious insiders and negligent employees cause anywhere from 52% to 69% of the data breaches. This means that over half of the smartphone users could accidentally cause data security incident.
It is better to take a pro-active approach than to wait until after a data breach.