The healthcare industry finds itself at a bit of a crossroads when it comes to weighing policies around BYOD, or bring-your-own-device, trends.
The benefits of BYOD are significant. On one hand, BYOD allows healthcare providers to be more efficient and deliver better care – which should be the goal above all. BYOD also cuts down on IT procurement and maintenance costs, because the gear is employee-owned.
But permitting BYOD isn’t so simple. Scan the Health and Human Services’ Breach Notification List and you’ll see that more than half of the incidents reported involve the theft of unencrypted devices. The proliferation of mobile devices into the healthcare industry only accelerates this trend.
Medical professionals aren’t responding to the growing threat fast enough. According to a 2013 survey by consulting firm The Advisory Board Company, approximately one-third of healthcare organizations embrace clinicians bringing their own devices, another third are working to restrict BYOD and the rest are figuring out how to address the issue. This hesitation is costly.
Certain IT administrators would prefer to ignore the growing appeal of BYOD – as if turning a blind eye could help mitigate threats. Given that most breaches these days are caused by human error, like lost or stolen mobile devices, practices need to take steps to properly sanction and control personal devices with BYOD plans.
It might seem counterintuitive, but the real way to control BYOD threats is to embrace the trend.
BYOD is happening under providers’ noses
There’s more pressure on medical professionals than ever before to deliver quality care to a high volume of patients. Practically speaking, that means clinical and administrative staff are using all the tools at their disposal to get things done. In some practices, nurses are wearing multiple hats as administrators and scrubbing in to assist in outpatient surgeries. Doing two jobs is becoming the norm rather than the exception, amplifying the opportunities for mistakes. Combined with the broader proliferation of devices and connectivity, there’s a greater expectation than ever to take work home, or at least be accessible from anywhere.
Consider a scenario I see all the time. Healthcare professionals in a medical practice are syncing thousands of files that contain personal health information (PHI) to their laptops, tablets and phones.
With thousands of files being pushed to every single device, it takes a single misplaced smartphone or tablet to cause a HIPAA breach of catastrophic proportions.
Even scarier? Not knowing a device that contained PHI was lost. That’s an even bigger risk that comes with the failure to implement BYOD policies. After all, institutions can’t lock up things they aren’t aware pose risks.
Consider the following behavior pattern: A junior doctor downloads information – or even just possesses emails – that contained PHI to his laptop, but he didn’t inform his superiors. Why would he act in such an insecure way? We’ve discussed the appeal of BYOD to institutions, but it’s critical to consider the individual perspective. The junior doctor’s alternative is a clunky and old hospital-sanctioned laptop that’s so restrictive and slow that he ends up spending hours doing simple tasks. Often, company-provisioned devices are so restrictive that they nearly defeat the entire purpose of mobile work. He also wants to be able to access patient charts on the go and at home, and the perfect way to do that is through a mobile device.
But if this junior doctor’s device gets lost, it’s not clear what his next steps should be. He’s far less likely to have a way to remotely wipe or block the device without the institutional support around BYOD. Moreover, it might not even occur to him that he needs to report it, which means it will take even longer for the practice to stem the bleeding. Like it or not, this failure on the employee’s part falls on the practice. The liabilities are far greater when a practice has not been clear about expectations around technology.
There is a safe way to implement BYOD
More and more healthcare providers are becoming reliant on mobile devices to perform their day-to-day tasks, but this doesn’t have to imply a security problem.
I’m reminded of a conversation I had with a forensic psychiatrist, who told me that his devices were the only way he could get all his work done. He’s shifting gears constantly, serving as the medical director for a health system, an associate professor and a forensic psychiatric consultant for criminal cases. He routinely gets calls from patients or counsel while he’s relaxing at home. To properly field their questions, he has to have easy access to documents. The same goes for when he goes off on a trip. Even when he’s on vacation, he doesn’t expect to leave work behind. But he prefers to consolidate everything onto his iPad.
Mobility and efficiency are important, but so is security. He has to make sure the documents he’s calling up – wherever they are, or wherever he is – are encrypted. Never mind the reportable breach requirement, which says that if the PHI of 500 people were exposed, it would need to be reported. Even one exposure is too much, he says, when dealing with such sensitive information. That’s why he’s not only worried about theft or loss of his devices. He’s also worried he might make a mistake, such as sharing a “not guilty by reason of insanity” report with someone who isn’t authorized. Such documents lay out a defendant’s entire life story, and any exposure would have devastating consequences.
That’s the tradeoff that comes with easy-to-use personal devices and programs. Their ease of use can actually introduce new types of accidental errors. So that’s the risk this forensic psychiatrist sought to mitigate when he found Sookasa. He wants to use things that are seamless, but he also demands built-in protections that allow him to prevent and rectify mistakes, such as identity authorization and encryption mechanisms that assure that only the people he authorizes can access his sensitive files.
Don’t forget the BYOD threats outside your organization
The challenge of implementing a BYOD policy internally might be daunting, but you can’t stop there. Just think about all the ways in which your team might be sharing confidential information with patients, billing companies and others. To have a truly robust BYOD policy, it’s essential to be proactive about risks that exist outside your organization too.
Consider a recent situation at a major European hospital. The CIO told me that his doctors were clamoring to use Dropbox at work. He acknowledged that much of their work is done from iPads and iPhones; even he estimates that 50 percent of his own work is done on his phone. Dropbox isn’t HIPAA compliant on its own, which is why we started talking about Sookasa’s cloud encryption solution.
The hospital’s doctors saved days’ worth of time in getting X-rays from hospital radiologists to referring physicians, which meant that the patient was able to get better care more quickly. But the CIO had to find a way to lock up Dropbox and introduce on-device encryption – especially for the files that would end up on referring physicians’ devices, and technically outside his control, since they are not hospital employees.
He not only implemented Dropbox and Sookasa for his radiology team, but he also took the unusual step of getting referring physicians up and running on it too, ensuring that X-rays and other files remained encrypted and protected at every step of the workflow. It was a great example of just the sort of thinking that eliminates BYOD and related bring-your-own program threats. The CIO took his team’s desires seriously and found a way to make Dropbox HIPAA compliant and protect all the information ending up on devices with encryption.
For secure BYOD policies, you must enforce them
Developing and implementing a BYOD policy is hard work. But having a policy in place doesn’t mean that your work is done.
When employees agree to BYOD policies, everyone gets on the same page about threats – and expectations. Even if your BYOD policy says that employees are able to use any device they want to access information, you should remind them that you plan to track each access – and follow through on it.
The best care is attentive and comprehensive – and, in an ideal world, collaborative and efficient too. Technology should support healthcare professionals and medical staff’s focus on providing quality care.
