Healthcare News & Insights

BYOD security risks: Strategies to protect your hospital

Your hospital’s biggest security threat isn’t likely to come from outside hackers, but rather internally from your clinical staff. That’s especially true if your hospital allows staff to access email and internal servers through their personal smartphones or tablets under a bring your own device (BYOD) policy.

86536060Even if your IT department and electronic health records (EHR) vendor have the appropriate safeguards in place, it can all be undone if just one person accesses confidential information via a personal portable device.

And your hospital would have to assume liability for the error.

In the past, a blanket ban on the use of outside devices was acceptable. But as people became more and more tethered to their portable electronics, it’s become harder to enforce this rule.

Now many hospitals allow doctors and nurses to check their email and perform other job-related functions on their own devices.

Keys to success with BYOD

Embracing the BYOD trend can help doctors and nurses work more efficiently. But without the proper rules in place, it can compromise the security of patients’ protected health information (PHI), leaving your facility open to HIPAA violations, huge fines and bad publicity.

Here are five ways to protect your facility from issues when it comes to BYOD access, as adapted from a recent article in Mobile Health News:

  1. Perform a risk assessment. Survey doctors and nurses to get an idea of how many staff members access patient information using their own devices. This will allow you to address the potential for a data breach and determine the impact if one should occur.
  2. Develop a specific policy addressing the use of personal devices. An effective BYOD policy clearly spells out what kind of information is permissible to access on a personal device – and what isn’t. Also, you may want to include rules limiting offsite access of patient records. And be sure to regularly review and audit your policy so you know it’s appropriately addressing your hospital’s needs.
  3. Conduct regular training on the correct way to handle PHI. Clinical staff should receive periodic refreshers about the importance of keeping patient information confidential, especially if they’re accessing PHI on their own devices. They should also be reminded of the consequences of breaking the rules.
  4. Require encryption. If doctors and nurses want to use their own smartphones or tablets, make it a rule that the devices must be encrypted so patient data can’t be accessed if the device falls into the wrong hands.
  5. Purchase the appropriate insurance to limit your financial liability if a breach occurs. No one is perfect, and despite your best efforts, staff may not follow your hospital’s BYOD policy to the letter. So make sure your facility is protected in case someone’s carelessness compromises patient information.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.


  1. […] the most notable security threats are unlikely to come from an external hack, but rather through internal emails and other communication. There were several other beneficial BYOD guidelines highlighted by Healthcare Business […]