- Among the main security challenge with healthcare BYOD security lies in the dual-use nature of mobile devices. A stolen or lost physician’s laptop will probably already have security measures built in such as whole disk encryption and authentication requirements, but smartphones and tablets, especially personal devices, often eschew these added layers of protection in favor of ease of use, simplicity and quick access.
One of the biggest dangers of BYOD is the latest crop of Dropbox-style synchronization applications. By poking a hole in an institution’s security fabric to synchronize files to mobile devices, the physician is potentially creating a new channel through which confidential patient information could leak. Many healthcare institutions have decided to shut off access to these synchronization tools until there’s a way to manage them as hospital applications with centralized control, granular permission and integration with established authentication services.
How can you prepare your healthcare organization to handle these additional security risks? What steps should you take to extend your current network security to cover these mHealth security holes? Mobile devices are simply the latest vector to threaten hospital security, but here are remedies to these threats that will satisfy both IT groups and healthcare practitioners. The following 10-point list will help you think about the framework for a BYOD policy that can help you meet your HIPAA and protected health information (PHI) security requirements.
1. Examine and update security policies. Review your current security policies for web applications (customer relationship management (CRM), email, portals), virtual private network (VPN) and remote access. Most will apply to mobile devices as well.
2. Determine devices you want to support. Not every device will meet the security requirements of your organization and you don’t want to have to test all possible platforms. Also, physically inspect devices to make sure they haven’t been jail-broken or rooted.
3. Set expectations clearly. Instituting proper security protocols may mean IT has to change physician mindsets. Security adds additional layers for an organization to work with, but this is a small inconvenience when compared to the potential harm caused by a security breach.
5. Create a Personal Identification Number (PIN). Make a PIN (or other client authentication) mandatory. This is the first line of defense against a lost device.
6. Enforce data encryption at rest. Any applications downloading and storing data on a BYOD device should protect that data. If a PIN or passcode is cracked, you want to make sure that data is still protected.
7. Decide on application availability. With many applications available, which do you permit? Are there specific applications or a class of applications you want to keep off the device? This can be difficult to achieve, but malware and rogue applications can cause serious damage without users realizing it.
8. Provide training to physicians and hospital staff. Make sure they understand how to use their applications, make the most of their mobile capabilities and watch for suspicious activity.
9. Search for applications with audit, reporting and centralized management capabilities. As mobile devices become information conduits it’s important to have these. Applications with such features are easier to trace back to any potential data breaches.
10. Consider mobile device management software (MDM). MDM software can provide secure client applications like email and web browsers, over the air device application distribution, configuration, monitoring and remote wipe capability.
No single solution will solve all your BYOD issues, but a combination of policies, education, best practices and third-party solutions can help mitigate security concerns. By defining goals and setting up guidelines and policies, you can lay the foundation and flexibility you need to meet HIPAA and PHI security requirements.
Bill Ho is the president of Biscom, a software company providing solutions for secure file transfer and fax services to enterprises. In addition to architecting and developing enterprise solutions, Ho has been speaking and writing about mobile and web technologies for the last 16 years. Mr. Ho received degrees in Computer Science from Stanford University and Harvard University.