Minimize Risk in Your Practice’s “Bring Your Own Device” Policy

NetgainCybersecurity & Compliance, Healthcare IT

Consumers have more device options than ever and with the recent launch of the iPhone 7 and the holidays, it won’t be long before workplaces are flooded with new devices. As a result, employers nationwide are faced with decisions about how to secure, support and manage the devices being brought to work.

BYOD, or Bring Your Own Device, is a practice that allows employees to use their personal computing and mobile devices (smartphones, tablets, laptops) for business purposes. Most often, this policy outlines parameters to permit connection to the company’s secure network.

There are certainly benefits of employees using their own devices for work. For instance, users are able to be more productive when they’re familiar with the device’s Operating System, making them less reliable on the IT department for support.

Cost savings is also a common benefit of companies implementing BYOD policies. Gartner reported in 2014 that direct costs of user-owned tablets are 64 percent lower than company-owned tablets. The savings aren’t ongoing, as nearly all of it comes from acquisition costs, but across an organization, those savings can be substantial.

When crafting the BYOD policy for your practice, here are 10 best practices to consider:

  1. Distribute and implement an acceptable use policy. Specifically state how the practice’s network connection can and cannot be used.
  2. Identify which apps and software are permitted and not permitted on BYOD devices. Ensure staff know the policy and have agreed to and signed it.
  3. Educate employees on cyber-security best practices. Annually train on the importance of security and implications, both personal and professional, of data breaches. Also, ensure all new employees are trained upon hiring.
  4. Teach employees how to securely access corporate resources from BYOD devices. Train employees on how to access corporate resources like EHR, corporate email, lab results, etc.
  5. Require security software updates on all BYOD devices. This may be via a patch pushed out to all devices by your practice or individually. Either way, security updates will minimize your practice’s risk. Mobile Device Management software solutions can aid in this requirement.
  6. Prioritize mission-critical applications like your EHR and other business productivity applications. Minimize bandwidth allowed for novelty applications like social media.
  7. Enforce all devices to have a lock-code and complex passwords that are frequently changed. Organizations can set password expirations, requiring users to reset their password after a certain length of time.
  8. Set user-based permissions that limit access to patient data. Not every user will need to access patient data from their BYOD device. Identify who these users are and create role-based permissions for them. Limiting access to patient data will also limit your practice’s liability.
  9. Require device encryption on all devices. Encryption is a security safeguard specifically named by HIPAA. Lost or stolen devices that are not encrypted are subject to multiple HIPAA violations, resulting in heavy fines.
  10. Provide a remote-wipe option for all devices. This app has the ability to remotely wipe all data from the device and SIM cards in the event of theft or loss, thus minimizing your practice’s risk.

Managing the inherent risk with BYOD is key to successful implementation within your practice. This involves understanding the vulnerabilities that BYOD presents and implementing the right policies and security measures.

What has your practice done to ensure security in your BYOD policy?