Healthcare Information Security

HIPAA and Compliance News

BYOD security in a healthcare setting: Best practices

By Bill Kleyman

- IT consumerization and bring your own device (BYOD) have expanded quickly as virtualization and cloud computing drive application delivery to more end points. Originally, healthcare provider users wanted their phones connected to the corporate environment to access mail and some files. Now, with application, server and desktop virtualization, users are asking for their corporate workloads to be delivered to more devices. This means iPads, Android Tablets, personal PCs and of course the smartphone. This trend has spread to numerous different industries – healthcare included.

Doctors, nurses and other healthcare practitioners are demanding more from their IT environments. Employees are bringing in their own devices and are asking that the IT platform support their personal computing tools. In the perfect world, all of these devices would work in harmony with security being a non-issue. This, of course, is not the case.

In understanding IT consumerization, it’s important to note that BYOD can really mean anything. Any intelligent device with connectivity to the Internet could potentially fall into the BYOD category. And it’s this very fact that makes many healthcare IT security professionals very nervous. When working with BYOD, especially in the healthcare environment, it’s important to follow some very basic security best practices. The goal is to have an efficient BYOD platform while not letting it get out of hand.

Create firewall rules, policies and ACLs – Today’s healthcare security infrastructure now includes devices deemed as “next-generation” security appliances. This means that these devices are able to go far beyond the standard firewall. When working with BYOD in a healthcare organization, utilizing this type of security platform can go a long way. For example, setting an access rule that scans the end point and identifies whether a device has the original operating system (OS) or has been rooted. Furthermore, Web-facing appliances can quickly identify what types of devices are trying to connect in. Whether it’s a phone, tablet or full PC – depending on the endpoint, the user may receive a different interface.

Design a usage policy – We are now mixing corporate data with personal devices. Just like a computer usage policy, a BYOD usage policy must draw a picture as to who is responsible for what. This means making the user well aware that even though they’re on their own personal device – any activity on or with the corporate environment may be monitored or logged. From a security perspective, this creates a digital trail and can allow security administrators to be more proactive.

READ MORE: Hackers Cause Possible Healthcare Data Breach for 40K Patients

Have a device list ready – One of the key points in working with BYOD is this: Under no circumstance should BYOD be a complete free-for-all. Having a set of approved devices will limit potential security holes. Equally, it will help control the amount of client-related support issues that healthcare IT administrators will have to deal with. Some healthcare environments allow tablets, but only from one OS or manufacturer. This type of control will create greater control over which devices are able to access corporate data.

Set monitors and alerts – Just like any other infrastructure component, BYOD needs to be monitored and controlled. The ability for a device to connect to corporate data, whether on locally or remote, relies on local area network (LAN) and/or wide area network (WAN) technologies. Coupling this with the right kind of security appliance, administrators in the healthcare environment are able to monitor the type of traffic entering and leaving the environment. By segmenting, controlling, and monitoring BYOD traffic, administrators create a proactive environment where security threats can be caught a head of time.

Implement data security end-to-end – BYOD is designed to help the end-user be more productive and have a better computing experience. Part of that experience is the security in data delivery. Simple rules, such as all traffic must be over Hypertext Transfer Protocol Secure (HTTPS) using Transmission Control Protocol (TCP) port number 443, need to be applied when a connection occurs. Information must be secured at the end-point, the middle and at the data center. As mentioned earlier, settings up end-point scans to ensure a client anti-virus (AV) may be a requirement for your healthcare organization. Furthermore, data loss prevention (DLP) solutions can help prevent instances of data leakage. For example, a rule can be set to immediately flag, report and block any traffic with the following format: xxx-xx-xxx.

Mobile Device Management platforms can also help lock down which applications and what data can be accessed from mobile devices. Other tools can include an intrusion prevention system (IPS) platform which allows only certain types of users to access the environment. Regardless of the security tools in place, it’s important to have a clear vision of where the data is going, who is accessing it and how it can be controlled.

BYOD can be a very powerful addition to any environment – especially healthcare. Having the freedom to use a personal device in a secured environment not only creates peace of mind, but also a more productive employee base. In creating BYOD policies, consider using some type of stipend program. Not only will the end-user have the ability to select from a pre-approved list, but IT administrators can ensure that those devices are secured when delivered to the end-user. This type of program can alleviate hardware management costs since hardware responsibilities fall on the user. Furthermore, it can completely revolutionize how an organization controls its PC refresh cycle.

READ MORE: Improper Employee Access Creates Potential Health Data Breach

As any tool or platform, it’s important to deploy the technology with thought and planning in mind. Many healthcare organizations actually run very thorough pilots to ensure that this type of platform is conducive to their business plans. An uncontrolled BYOD platform can be a security nightmare. On the same note, a well-planned and managed BYOD solution can create happier workforce and less management overhead for the IT department.

Bill Kleyman, MBA, MISM, has heavy experience in network infrastructure management. He has served as a technology consultant and taken part in large virtualization deployments while be involved in business network design and implementation. He is currently the Virtualization Architect at MTM Technologies Inc. and his prior work includes Director of Technology at World Wide Fittings Inc.



SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks