Healthcare News & Insights

5 things healthcare organizations need to consider before embracing BYOD

Bring your own device (BYOD) programs offer healthcare organizations considerable benefits, but they also come with significant risks. In this guest post, Brad Spannbauer, senior director of product management and HIPAA privacy & compliance officer at an internet services provider, details the potential pitfalls healthcare facilities should consider before adopting a BYOD program.


The BYOD movement is gaining momentum in America, and fast. With a reported 59% of enterprises now allowing employees to use personal devices for work purposes, and a further 13% planning to implement BYOD within a year, BYOD looks like it’s here to stay, according to an article on Insight.

And when you consider the benefits of BYOD over traditional practices, it’s not hard to see why adoption is on the way up. Increased productivity, boosted staff morale and reduced hardware costs are all frequently cited as major advantages. One recent study quantified the time savings of BYOD at 58 minutes per employee, per day, which works out at a 34% increase in productivity. Another study estimates that companies with an effective BYOD policy in place can expect to save on average $350 per year, per employee.

Within the healthcare industry in particular, mobile devices are solidly entrenched in clinical settings. A HIMSS Analytics study in 2017 asked healthcare workers which devices they used to access information to provide and coordinate patient care. The results were striking: tablets were cited by 80% of respondents, followed by Smartphones at over 42%. So regardless of whether it’s hospital provided or BYOD, mobile technology has clearly found a place in healthcare environments.

Risks of BYOD

These statistics considered, it’s clear why so many organizations are quite literally opening their doors to employee-owned devices. However, for all the potential benefits BYOD offers, there are equal risks, and those risks are particularly high within healthcare organizations.

According to Ponemon research, a staggering 90% of healthcare organizations have been hit by at least one data breach in the past two years, and nearly half have had more than five data breaches in the same time period, at an average cost of $2.2 million. While criminal activity is a leading cause of those attacks, employee negligence and lost or stolen devices continue to be the primary instigators.

In fact, nearly 50% of large data breaches in health care were attributed to theft and loss in 2017, according to the Office of Civil Rights at the U.S. Department of Health and Human Services. To make matters even worse, 28% of doctors have reported storing patient data on their mobile devices. Yet many of those devices aren’t password protected and may be infected with malware. That’s a potential data breach just waiting to happen on a quarter of all such devices in use.  Even with robust policies in place, BYOD is inherently risky, and so long as humans form part of the security chain, there will always be weaknesses. Therefore, before allowing BYOD, organizations should consider the following potential pitfalls very carefully.

Increased device vulnerability

Device loss and theft is an unfortunate inevitability; even the most cautious of employees misplace things from time to time. But when those misplaced things provide gateways to sensitive data and company networks, major issues can arise. The reality is that by allowing employees to use the same devices both inside and outside of work, devices are more vulnerable and organizations are at higher risk of corrective action and even fines for non-compliance with state and federal healthcare privacy regulations.

Compliance complications

BYOD presents serious compliance challenges for healthcare organizations, particularly when it comes to meeting HIPAA’s security and privacy rules. From making sure that all employees are implementing necessary physical safeguards, including strong passwords and multi-factor authentication, to ensuring that PHI is only ever exchanged via HIPAA-secure tools that utilize encryption, there’s much to consider for compliance officers and IT departments. This makes developing a robust BYOD policy critical for HIPAA covered entities.

Legal difficulties

It’s possible that from time to time, an employer may need to gain access to an employee’s device to access data, or install or update applications. But what happens if during that period of access, the employer stumbles upon some incriminating information, accidentally deletes personal files, or finds out something about the employee that was intended to remain private? This raises lots of complex legal questions that employers must consider before rolling out BYOD, all of which should be addressed within a clear set of policies and procedures.

Shadow IT

In simple terms, shadow IT is used to describe any IT system being used within an organization without the organization’s knowledge or consent; this could be anything from personal email accounts to workflow tools. While most employees who use unauthorized tools and applications do so without malicious intent, nevertheless they’re introducing security vulnerabilities which are almost impossible to identify. This is a growing issue that is only amplified by BYOD; one report estimates that by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.

Looking specifically at concerns surrounding BYOD in health care, a poll of 535 healthcare IT and IT security professionals last year found that among the top security threats to healthcare organizations were employee-owned mobile devices (76% of respondents) and unsecure mobile devices (72% of respondents).

Employee productivity

As much as BYOD can help boost productivity, it can also have the opposite effect. Allowing employees to manage work on devices, which are also likely to contain personal apps – Facebook, Whatsapp, iMessage and so on – can introduce unwanted distractions. Even with the best will in the world, it’s difficult to ignore notifications, work related or otherwise, and BYOD only makes that challenge harder for employees.

For healthcare organizations considering BYOD as a way of working, it’s essential that first they develop crystal clear policies to address the areas outlined above, educate employees on the risks and rewards, and invest in tools that help to facilitate secure workflows – simply hoping employees will adhere to best practices isn’t enough.

Brad Spannbauer, senior director of product management, oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect’s worldwide business. His focus in the healthcare and legal verticals led to his involvement with the j2 Cloud Services™ compliance team, where he’s the company’s HIPAA Privacy & Compliance Officer.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind