Healthcare News & Insights

Top 3 BYOD policy mistakes healthcare organizations make

Healthcare employees are bringing personal devices to work – whether their employers say it’s OK or not. That’s why security experts say it’s critical to create an effective BYOD policy. 

In the past year, nearly all (89%) of healthcare workers have used a personal smartphone for work, according to a recent survey from Cisco.

That’s good news for healthcare organizations in some ways. There are a few benefits providers get from employees working on their own smartphones and tablets, such as higher productivity and morale.

But those personal devices introduce several security, legal and other risks, too. For healthcare organizations, the biggest scare is that a smartphone or tablet holding sensitive patient information will be lost or stolen, leading to a serious data breach.

In addition, information could be stolen via mobile malware or other types of security attacks.

To take advantage of the benefits of Bring Your Own Device (BYOD) programs while managing the risks, healthcare organizations must create a clear and effective BYOD policy that limits what devices employees may use and how they may use them.

When writing a BYOD policy, these are some of the most common mistakes organizations make that can increase information security risks:

1. Not having a BYOD policy

Unfortunately, one of the most common BYOD policy mistakes that organizations make is not having a policy at all. Despite the fact that the majority of employees are doing work on personal smartphones and tablets, many organizations in all industries have not yet issued formal policies and procedures regarding those devices.

In fact, among 650 IT pros surveyed last year by the SANS Institute, only 38% said their organization had a BYOD policy in place.

Other alarming stats from the survey:

  • More than 50% of respondents rely on users to protect their devices from potentially hostile applications
  • 40% don’t track mobile devices on their network, and
  • Only 20% use mobile device management software as a way to control devices.

Most experts agree that employees will bring their own devices to work whether IT has a policy or not — therefore its’ better for companies to control BYOD as best as they can, rather than ignore the issue.

The first step is to create a policy outlining key elements such as:

  • What devices and mobile operating systems are approved for use on the network
  • What security features and settings must be enabled for a device to have access
  • What types of data the employee is allowed to store on a personal device
  • What apps employees can and cannot install, and
  • What actions the organization is allowed to take in terms of managing and monitoring a personal device.

2. Not enforcing security controls

Part of a healthcare organization’s BYOD policy should state that only smartphones and tablets that meet minimum security requirements should be allowed to be used for work. However, there’s a second important part of the process many organizations neglect: enforcing that those security controls are being used.

The most popular way of doing that is to use mobile device management (MDM) software to prevent devices that don’t satisfy IT’s requirements for security controls onto the network.

It seems many organizations aren’t taking enough steps to enforce the BYOD policy. According to Cisco’s survey, many employees who work on their own devices fail to take some pretty basic steps to protect mobile security. For example:

  • 40% don’t use password protection on their devices
  • 48% have kept their devices discoverable over Bluetooth, which means a near-by hacker could scan for the device and download sensitive data
  • 52% access unsecured wireless networks with their devices, and
  • 86% say their employer wouldn’t be able to remotely wipe a device if it were lost or stolen.

3. Not having employees sign off on the policy

Once a clear, effective BYOD policy it’s written, organizations must make sure employees read and sign off on the policy before they bring a personal smartphone or tablet to work. That’s critical for two big reasons.

The first is that it will make sure employees know what the policy is. Employees often claim ignorance when it comes to IT’s rules, and when it comes to their own personal devices, many might assume that there’s no BYOD policy at all.

The second reading is that having employees sign the policy could help avoid some legal trouble or other complaints down the road based on actions IT may have to take with a personal smartphone or tablet. For example, if a device containing sensitive patient data is lost or stolen, the organization will likely want to remotely wipe it.

Since the device will also contain the employee’s own personal data and media, it’s important the employee is aware of the risk and gives IT the right to do so before participating in the BYOD program.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.