Developing a BYOD Policy: 6 Key Considerations
The effectiveness of a BYOD initiative lies in the ability to develop a secure, flawless, and uniform user experience. Users need to be able to access the appropriate information from wherever they are working. An inability to do so could lead to confusion, a loss of time, and an overall decrease in efficiency.
In order to develop an efficient BYOD policy, there are a variety of choices that need to be made from a functionality and support standpoint. Below we discuss some of the most important areas to consider when developing your policy.
Approved Devices/Applications
Businesses need to clearly communicate exactly which devices will be usable within the established BYOD policy. Ideally all devices will be able to provide a consistent user experience, but complications in policy development may create restrictions on device usage. Certainly this may contradict the idea of bringing your own device if certain devices are excluded (i.e. a strictly iOS policy), but it is acceptable as long as employees are informed in advance.
Policy developers will also need to consider the third party applications that employees will be able to access under the BYOD policy. Certain applications that share a large amount of data may compromise the security considerations of a BYOD policy. It is key for policy makers to identify a list of popular applications/types of applications that will be allowed/banned.
Data Ownership
Data ownership is an easy consideration on the surface – companies own the data that employees are accessing on internal servers, and in many cases this information is legally protected (i.e. patient records). The issue arises when a device is compromised in some way (stolen, hacked, etc..) and needs to be remotely wiped. A traditional wipe will remove all data on the phone, including potentially irreplaceable personal data such as pictures and music (Hassell, 2012). When developing policies, it is wise to establish a system to backup this information on a regular basis to ensure that this problem does not arise.
Device Support
Employees will want to know what support is available from the internal IT department. Policies must be developed to determine what happens in the event that a device is broken on site. A policy for training and maintenance will also need to be clearly outlined to establish the procedure to provide these services efficiently from both a cost and operational standpoint.
Permitted Use
A thorough BYOD policy will need to outline exactly who is permitted to use devices and where. In clinical environments, Infection Control will need to become involved to establish, at the very minimum, where these devices can be used so that physicians and patients are not transferring germs on the surfaces of these devices (disinfection policies can help to break down some of these barriers).
Managing the staff usage of these devices is one thing, but what happens if a patient or guest want to bring their own device? Tablets and other mobile devices can go a long way in helping to keep patients and other guests comfortable during their visits, so including these groups in a BYOD initiative can help to improve overall patient care. Again, Infection Control will need to be involved to determine usage restrictions and disinfection policies, but as mobile device adoption continues to increase this could become a crucial area of BYOD policies.
Remote Access
A BYOD policy is effective for employees within the walls of the hospital or office, but what happens when travel comes into the picture? When a clinician needs to travel or a hospital needs to host a visiting doctor, will they truly be able to bring their own device?
For travelling doctors, most third party applications can be accessed from anywhere, but access to your internal network could be a potential security threat. Traveling clinicians can be given access to the network remotely via a VPN, but even that is not without its risks. Hospitals will need to determine the best course of action for their own personal network, based on the framework of the overall security plans.
Similarly, for those hospitals that are hosting visiting clinicians the decision will need to be made whether or not these guests should be given access to the internal network. In most cases guest access can be granted, but the initial setup time may be viewed as a hassle for both parties. An established BYOD policy should help hospital networks that frequently work together determine the best course of action for empowering their employees and visiting staff to effectively perform their duties.
Exit Strategy
When dealing with personal devices, an exit strategy is one of the most key components of security. Your BYOD policy should have a plan in place to quickly remove access to the network, email, and confidential information with minimal impact on personal data. The easiest way to execute an exit strategy is to have employees routinely back up their personal data so that it can be retrieved after a complete wipe of their system takes place. Other options are available, but may be more time consuming and manual, so it is best to have an exit strategy as a part of your BYOD policy from day one.
Takeaway
There is plenty to consider when developing a BYOD policy, and it is certainly not a task that should be tackled by one person. Your entire team, including those involved in IT or anyone supporting the policy, need to be on the same page to ensure maximum operating efficiency. When this is the case, a BYOD policy can be a great way to improve your patient care and overall productivity.
One thing not included here that should also be a part of your BYOD policy is disinfection. Bacteria have the ability to linger on the surfaces of your mobile devices, and can pose a risk to both your patients, staff, and those who they come in contact with. Frequently cleaning and disinfecting your devices will help to ensure the safety of everyone who comes in contact with them.
About the Author
David Engelhardt has over 26 years of experience in software and hardware solutions development in healthcare and manufacturing, with a particular focus on mobile technologies. David is the founder and President of ReadyDock Inc. He is passionate and committed to providing safe, and workflow efficient methods to enable clinicians and patients to enhance care through the use of innovative technologies. In the small window of time when he is not working or spending time with his amazing wife and daughter, he spends his time playing USTA tennis, collecting vinyl records, and shaping music and sound in his recording studio.