Healthcare News & Insights

BYOD issues: Make sure your hospital is protected

Allowing employees to use their own electronic, portable devices at work can save hospitals money by reducing hardware costs, but it can also put facilities at risk of violating HIPAA security standards. That’s why it’s vital for hospitals to develop and implement a bring-your-own-device (BYOD) program.

What’s a hospital’s biggest challenge when it comes to a BYOD program?

Tailoring a program that meets its individual business needs and addresses its specific and unique data security risks, according to health law attorneys Dianne Bourque and Stephen Bentfield in HealthData Management.

There isn’t a one-size-fits-all program when it comes to BYOD, and it’s not something you can create overnight. It takes time and planning.

Risk assessment

The first step a hospital has to take is doing a comprehensive risk assessment. This will reveal if your employees are already using their personal devices to transmit work-related data. It’ll also let you know if a BYOD program is technically and financially feasible for your facility.

If it is feasible, through the risk assessment your facility can find the best technical means to implement the program and  develop policies and procedures to manage the program.

In addition, if the feds ever come pay you a visit, your risk assessment will give you the documentation you need to support a BYOD program, as well as proof of compliance with HIPAA security rules.

Common threats

With personal devices, one thing you have to remember is the devices will be going everywhere with your employees and you have no control over that. So you should assume right from the start that these devices will be lost, stolen and/or accessed by unauthorized third parties. And if they are lost or stolen, you may not find out about it right away which can compromise a hospital’s ability to respond to a possible security breach.

You’ll also face resistance from certain employees when it comes to installing your organizations’ security policies and measures on their own personal electronic devices.

One way to bypass all of this: Make your BYOD program an opt-in. If you do this, employees have to sign a written agreement or consent form to use their personal devices for work and the form should include the conditions for participating in the program. If an employee doesn’t sign, her or she can’t use their personal devices for work — it’s as simple as that.

Some of the conditions that should be on a consent/agreement form are:

  • for the hospital to install, update and administer security software as deemed necessary by the facility
  • access by the hospital to remotely wipe and/or lock a device if it’s lost, stolen or compromised
  • enforcement of the facility’s data access, use and security policies, and
  • disciplinary actions if the policy is not followed.

While BYOD programs can help hospitals meet their budgetary needs, they are a big security risk, so make sure you have the means to enforce the program.

For more information on BYOD programs, click here.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.