When it comes to bring-your-own-device (BYOD) policy, enterprises face an inherent conflict between leveraging the potential benefits of flexibility, productivity, and individual choice offered by mobile devices, while maintaining centralized oversight and addressing security and privacy concerns.
For healthcare providers, the balancing act is especially acute. On the one hand, mobility can deliver significant value to critical medical activities. At the same time, the healthcare industry faces particularly stringent security and privacy standards.
Take device sharing. When performing surgery or examining patients, physicians will require the aid of a nurse or assistant to view messages or texts or to review patient information. The problem with these mission-critical functions is they often involve physically handing over phones to colleagues – a practice that is a red flag for many legal and risk management teams tasked with defining device-sharing policies.
Ideally, a hospital group would consider these user requirements and business practices and adjust device-sharing and other policies to allow for special circumstances such as physicians in operating rooms. At present, however, healthcare providers are for the most part still struggling to address legal and ethical standards for data privacy, while at the same time meeting employee needs to remotely access data.
In this context, what steps can a healthcare provider CIO take to build a successful and balanced BYOD program? One key is to recognize that access to corporate data on a personal mobile device is not much different from access to corporate data on a non-corporate computer or laptop. The goal is to secure that corporate data and take the appropriate steps to prevent it from being accessed by unauthorized personnel. In many cases, healthcare providers complicate matters by developing a distinct set of data security policies for mobile devices, when in fact the issues of data security apply across devices, and best practices for securing data are similarly analogous.
With BYOD and “mobilizing the workforce” all the rage, healthcare providers might be tempted to quickly change or update a mobile policy, without assessing the additional technical challenges posed by implementing an effective policy. Rather than a “boil the ocean” approach, breaking out deployment in the context of the three categories below can segment and identify specific tasks and help ensure a successful implementation:
- On-premise Communications / Architecture and Platform: Initial focus should be on how mobility fits in to the big picture of the broader communications strategy. This can inform decisions on which platform(s) to deploy within the context of the larger environment. The underlying infrastructure – cable plant, Wifi, etc. – must also be validated and considered in this phase. These considerations should be undertaken with an eye on the desired end state, and with a focus on requirements and business needs, versus specific vendor solutions/devices.
- Off-premise Communications / Security: As healthcare providers acknowledge the need to access information from anywhere at any time, without sacrificing security and data integrity, they must address communications beyond the “safety” of the private, internal infrastructure. Security and data protection are of prime concern as decisions are made about BYOD devices, enterprise mobility management suites (EMM), data loss prevention, remote access, etc. Many of the decisions in this phase are based on device and platform selections from phase 1, and, again, must fit into the broader communications strategy.
- Systems Integration / Workflow: Once architecture, platforms, and remote access decisions are made, a comprehensive interoperation strategy can be implemented to ensure secure data flow between systems and to prevent data spillage. Because numerous, disparate systems need to communicate with each other, a solid workflow design is needed to document how the pieces fit together and communicate with each other.
EMM can enhance the security of access to the device and its contents. A common practice is to encrypt sensitive data that resides on the device, and to require device-level security practices such as pins and/or passwords. EMM systems can also restrict access by applying a very short device lock policy that automatically requires users to enter their pin or password after a very short period of inactivity on the device – sometimes as short as 10-15 seconds – to access applications with sensitive information. Meanwhile, other applications and generic messaging notifications can remain active and running in the background, without requiring constant re-authentication. This compromise can enable reasonable access while still providing an acceptable level of protection against unauthorized access.
Healthcare enterprises will continue to search for the perfect balance of risks and benefits within the context of mobile communications. At present, we are observing many leaning towards the more restrictive end of the spectrum when drafting device-sharing language, especially in the BYOD context. This trend will most certainly impact and limit the rate of adoption, regardless of reimbursement policies (a separate discussion), which can seriously impact the workforce mobilization and cost-avoidance opportunities that BYOD offers.
Forward-looking enterprises are exploring a combination of written policies and technical tools that enable a loosening of restrictions, while still offering an appropriate amount of data security and privacy protection.
Michael Martelli is a Managing Consultant with Alsbridge, a global consulting and advisory services firm.
